// NEXUSVOID CYBER NEWS
<- ALL CYBER NEWS
Critical
SAP, NetWeaver, ABAP, CVE-2026-44747, ERP security, critical vulnerability
SAP Patches CVSS 9.9 NetWeaver ABAP Flaw That Can Expose or Alter Business Data
SAP's July updates fix a near-max CVSS 9.9 out-of-bounds write in NetWeaver Application Server ABAP (CVE-2026-44747) that an authenticated attacker can use to read, modify, or disrupt data on the ERP system of record.
What happened. SAP's July 2026 security updates address multiple vulnerabilities, led by CVE-2026-44747 (CVSS 9.9), an out-of-bounds write in SAP NetWeaver Application Server ABAP. An authenticated attacker can leverage logical errors in memory management to cause memory corruption that leads to unauthorized data access, data modification, or system unavailability. Two further critical-range flaws (including CVE-2026-27690, CVSS 9.1) were patched in the same cycle.
Who's affected. Enterprises running SAP NetWeaver AS ABAP — the runtime under much of the SAP estate, from ERP to finance and supply-chain systems. Because the flaw requires authentication, it will get deprioritized on many patch queues. That's a mistake: ABAP sits on the system of record, and authenticated access is exactly what an attacker has after any initial foothold.
What to do now. Apply the SAP Security Note for CVE-2026-44747 in your next emergency window. SAP's temporary workaround — disabling specific ICF nodes via transaction SICF — breaks SAP GUI for HTML and won't be viable for every shop, per Onapsis, so plan for the patch rather than leaning on the mitigation.
Our read. "Authenticated" is not "safe" — it's the second step of nearly every real intrusion, and a 9.9 on the ERP is a 9.9 on the crown jewels. For regulated organizations this is also an evidence problem: auditors increasingly expect proof that you actively test the systems holding financial and customer data, not just that you scanned them. A near-max flaw on the business system of record is precisely where point-in-time assessment leaves the widest gap between "compliant" and "actually verified."
Reporting by The Hacker News and SecurityWeek; workaround guidance per Onapsis. Sources linked above.