Back to advisories

SAP warns of critical flaws in NetWeaver and Commerce Cloud

SAP released patches for 16 vulnerabilities including three critical flaws affecting NetWeaver AS ABAP, AppRouter, and Commerce Cloud. Memory corruption, HTTP request smuggling, and default credentials could allow unauthenticated attackers to execute code or bypass authentication on affected SAP infrastructure. No active exploitation confirmed yet, but these are high-value targets.

CRITICALAdvisoryJul 15, 2026
Action required
Inventory all SAP NetWeaver, AppRouter, and Commerce Cloud instances in your environment. Prioritize patching CVE-2026-44747, CVE-2026-27690, and CVE-2026-44761 immediately. Monitor logs for exploitation attempts against these services while patches are deployed.
Affected products
SAPSAP NetWeaver Application Server ABAPSAP AppRouterSAP Commerce CloudSAP Business Technology Platform