SAP NetWeaver Under Fire: CVE-2026-44748 (CVSS 9.9) SAML Bypass + CVE-2026-27671 (CVSS 9.8) — Indian Enterprises Must Patch Now
Your SAP NetWeaver installation is sitting on two loaded guns right now. On June 9, 2026, SAP’s monthly Patch Tuesday quietly shipped fixes for CVE-2026-44748 (CVSS 9.9) and CVE-2026-27671 (CVSS 9.8) — two critical vulnerabilities that together create a devastating attack chain against the ERP platform that processes payroll, financial transactions, supply chains, and sensitive HR data for thousands of enterprises across India and globally. A public proof-of-concept exploit is already on GitHub. The window before mass exploitation is closing.
SAP NetWeaver runs the backbone of Indian manufacturing, BFSI, pharmaceutical, and government IT landscapes. When a CVSS 9.9 authentication bypass pairs with a CVSS 9.8 unauthenticated remote code execution flaw in the same platform, the combination isn’t theoretical — it’s a ransomware operator’s dream. In my 30 years of securing enterprise networks, I’ve watched organisations delay SAP patches because “SAP is complex to update.” That excuse has an expiry date, and it expired the moment these PoCs went public.
Let me break down exactly what these vulnerabilities are, why they’re catastrophic for Indian deployments, and the precise steps your team needs to take before the weekend.
- CVE-2026-44748 (CVSS 9.9) — XML Signature Wrapping in SAP NetWeaver SAML authentication; a low-privileged attacker can impersonate any user including administrators.
- CVE-2026-27671 (CVSS 9.8) — Unauthenticated stack-based buffer overflow in the SAP kernel via crafted RFC requests; no credentials required for full system compromise.
- Both vulnerabilities affect SAP_BASIS versions 702 through 919 — virtually every supported SAP NetWeaver installation worldwide.
- Public proof-of-concept (PoC) exploit code for both CVEs is available on GitHub, lowering the skill bar for attackers significantly.
- Patches were released June 9, 2026 (SAP Security Notes #3746332 and #3717897); apply them immediately.
- No confirmed in-the-wild exploitation yet — but with PoC code public, active attacks are a matter of days, not weeks.
Understanding the Two Vulnerabilities and Why They’re a Perfect Storm
SAP NetWeaver is not a single product — it’s a platform layer that underpins SAP ERP, S/4HANA, BW, and dozens of other SAP applications. When you see “SAP_BASIS 702 through 919,” you’re reading a patch scope that covers the entire supported lifetime of the platform. Almost every SAP customer running NetWeaver is affected.
What makes June 2026’s release especially dangerous is the combination: CVE-2026-44748 lets an attacker with any valid SAP account impersonate a privileged user, while CVE-2026-27671 requires no account at all. An attacker can chain them — land on the system via the unauthenticated memory corruption bug, then use the SAML bypass to establish persistent, high-privilege access inside the SAP application layer.
| Attribute | CVE-2026-44748 | CVE-2026-27671 |
|---|---|---|
| CVSS Score | 9.9 (Critical) | 9.8 (Critical) |
| Vulnerability Type | XML Signature Wrapping (CWE-347) | Stack-Based Buffer Overflow (CWE-121) |
| Auth Required | Yes (low privileges sufficient) | No — unauthenticated |
| Attack Vector | Network (SAML/SSO interface) | Network (RFC dispatcher port) |
| Affected Scope | SAP_BASIS 702–919 | KRNL64NUC/UC 7.22–9.19 |
| Public PoC | Yes | Yes |
| SAP Patch Note | #3746332 | #3717897 |
Technical Deep Dive: CVE-2026-44748 — The SAML Signature Wrapping Attack
SAML (Security Assertion Markup Language) is the foundation of Single Sign-On in most enterprise SAP deployments. When a user authenticates through an Identity Provider (IdP) — whether Microsoft Entra, Okta, or an on-premises ADFS — the IdP issues a digitally signed XML assertion. SAP’s NetWeaver Application Server ABAP (AS ABAP) is supposed to verify that digital signature before granting access.
CVE-2026-44748 exploits XML Signature Wrapping (XSW): an attacker intercepts a legitimately signed SAML response, then restructures the XML document so the signature still validates against the original signed node, but the semantically processed part of the document — the part that declares who you are — contains attacker-controlled identity claims. Because SAP’s ABAP SAML handler (affected across SAP_BASIS 702 through 919) fails to correctly bind the cryptographic verification to the full document context, it accepts the tampered identity.
The practical consequence? An attacker with a standard employee SAP account can present a manipulated SAML assertion claiming to be the CFO, the system administrator, or any other high-privilege user. In SAP terms, that means access to:
- FI/CO modules — initiating wire transfers, manipulating general ledger entries
- HR/HCM data — accessing salary records, PAN numbers, aadhaar-linked payroll data
- SAP Basis administration — creating backdoor accounts, downloading transport logs, modifying authorisation objects
- Supply chain master data — altering vendor bank account numbers (a classic BEC attack inside SAP)
According to NVD’s entry for CVE-2026-44748, the attack vector is network-accessible, requires no user interaction, and the attack complexity is rated Low — meaning automated exploitation at scale is straightforward once a PoC exists. It now does.
Technical Deep Dive: CVE-2026-27671 — Unauthenticated RFC Memory Corruption
If CVE-2026-44748 is the privilege escalation tool, CVE-2026-27671 is the door-kicker — and it requires no credentials whatsoever. The SAP kernel’s RFC (Remote Function Call) dispatcher, the core communication mechanism between SAP systems and external applications, improperly validates incoming protocol messages. An attacker can send a specially crafted RFC packet that triggers logical errors in the kernel’s memory management routines, causing a stack-based buffer overflow.
Stack-based buffer overflows in a kernel component are as serious as it gets. A controlled overflow can overwrite the return address of the vulnerable function with attacker-supplied shellcode, leading to arbitrary code execution under the SAP kernel’s OS-level privileges — typically a dedicated OS account with broad filesystem access. BleepingComputer’s coverage confirms the affected component is the SAP kernel across versions 7.22 through 9.19.
The RFC dispatcher port (typically 3300+instance_number) is frequently exposed internally across enterprise networks and sometimes — incorrectly — on perimeter firewalls for B2B integration. Every exposed RFC port is a potential unauthenticated RCE entry point until the patch is applied.
The Indian Enterprise Context: Why This Hits Harder Here
India runs on SAP. The Indian ERP market is dominated by SAP NetWeaver-based deployments across manufacturing (automotive, pharma, chemicals), BFSI (insurance, banking, NBFCs), government (PSUs, defence supply chains), and retail. Many of these deployments run legacy BASIS versions — some still on BASIS 7.02 or 7.53 — precisely because SAP upgrades are expensive, complex, and require significant downtime planning.
The “we’ll patch it in the next maintenance window” mindset, which might have been tolerable for a CVSS 7.x vulnerability, is not acceptable for a CVSS 9.9 flaw with a public exploit. The Indian CERT-In’s directive under CERT-In’s vulnerability disclosure framework requires patching critical flaws promptly; regulatory exposure compounds the operational risk.
Additionally, many Indian SAP landscapes use flat network architectures where the SAP Application Server is reachable from broad internal segments. This means CVE-2026-27671’s RFC exploit can pivot laterally without any perimeter firewall bypass — an insider threat, a compromised endpoint, or a phishing victim becomes the launchpad.
What You Should Do Right Now — Sanjay’s Expert Playbook
I’ve been through enough emergency SAP patching exercises with clients to know that “patch immediately” is not a plan. Here is an actionable playbook, ordered by priority:
- Identify your SAP BASIS version today. Run transaction SM51 or check the SAP kernel version via `disp+work -V` on the OS. If you’re on BASIS 702 through 919, you are affected. Don’t assume your BASIS admin has already done this — verify.
- Apply SAP Security Notes #3746332 and #3717897 immediately. Download them from SAP Support Portal (requires S-User). Test in a non-production system first, but given the severity, compress your test cycle to 24–48 hours maximum. These are not optional patches.
- Restrict RFC port access at the network layer right now — before the patch lands. Block external and cross-segment access to SAP dispatcher ports (32<NN>, 33<NN>, 36<NN> where NN is the instance number) using firewall rules. This mitigates CVE-2026-27671 until the kernel patch is applied. If your network team needs authorisation, escalate now — this is a P1 security emergency.
- Audit your SAML configuration for CVE-2026-44748. If SAML/SSO is not in use, disable it via SICF and SAML2 transactions in SAP. If it is in use, verify that your SAP kernel and BASIS patch level is current; the temporary workaround (disabling SAML) may disrupt SSO workflows for your users. Weigh the disruption against the risk of an authentication bypass.
- Review SAP audit logs for anomalous access patterns. Check SM20 (Security Audit Log) for unusual logins, role assignments, or access to FI/CO transactions from unexpected users or at unusual times. The PoC has been public since June 2026; if you haven’t patched, assume someone may have already probed your environment. Our managed detection and response service can rapidly triage these logs if your team is stretched.
- Run a vulnerability assessment against your SAP landscape. Tools like SAP’s own ABAP Test Cockpit (ATC) and third-party SAP security scanners can identify whether your system is exposed. If you don’t have SAP security expertise in-house, bring in specialists before the next business cycle.
- Document and report. Under CERT-In’s 2022 cybersecurity directions, significant vulnerabilities and incidents must be reported within the prescribed timelines. If you believe your SAP systems have already been compromised, incident response — not just patching — is the correct next step. Refer to our ransomware first-hour response guide for the initial triage framework.
Patch Timeline and Official Advisories
SAP’s June 2026 Security Patch Day (June 9, 2026) addressed 15 security vulnerabilities across the product portfolio. Of these, four were rated Critical (CVSS 9.0+). CVE-2026-44748 and CVE-2026-27671 represent the highest-severity findings, with patch notes available through the SAP Support Portal for customers with valid S-User credentials.
The SecurityWeek report on SAP’s June patches confirmed that as of the publication date, no confirmed active exploitation had been detected in the wild. However, this status changes rapidly once PoC code circulates — a pattern we’ve seen repeatedly with Oracle, Citrix, and Fortinet vulnerabilities in recent months. The time between “PoC published” and “mass exploitation campaign” is now measured in days, not months.
The SOCRadar threat intelligence analysis additionally highlights that CVE-2026-44748 maps directly to Business Email Compromise (BEC) scenarios inside SAP — where an attacker with forged identity claims can redirect vendor payments to attacker-controlled accounts. In India’s ERP-driven procurement environments, this is not a hypothetical scenario.
What exactly is XML Signature Wrapping and why is it so dangerous?
XML Signature Wrapping (XSW) is a class of attack against SAML-based authentication systems. A correctly signed SAML token has a digital signature over specific XML elements. In a wrapping attack, the attacker duplicates or repositions XML nodes so the signature validation routine checks against the original (legitimate) signed node, while the application logic reads attacker-controlled identity data from a different part of the document. The system believes it verified the signature — it did, just not over the data it actually processed. This is why CVE-2026-44748 is rated CVSS 9.9: it requires minimal attacker skill once the pattern is known.
Do I need to be on the internet to be vulnerable to CVE-2026-27671?
No. CVE-2026-27671 exploits the SAP RFC dispatcher port, which is active on your internal network by default. Any user or process that can reach the SAP application server’s RFC port — including any internal machine, any compromised endpoint, or any lateral movement from a breached host — can potentially trigger the unauthenticated buffer overflow. This makes network segmentation a critical compensating control, not just a best practice.
Can I just disable SAML temporarily to avoid CVE-2026-44748?
Yes, but with significant caveats. Disabling SAML authentication via SAP transaction SAML2 and deactivating the relevant ICF services will eliminate the attack surface for CVE-2026-44748. However, this will break all SSO-dependent workflows for your users — any application that relies on federated login will require users to authenticate directly with SAP credentials. This may be acceptable for a 24–48 hour emergency window while patching is planned. It is not a permanent solution.
Are SAP S/4HANA Cloud customers affected?
SAP manages patching for cloud-hosted S/4HANA environments and has confirmed these patches are being applied on the cloud side. If you run SAP S/4HANA Private Cloud or any on-premise NetWeaver deployment, you are responsible for applying the patches yourself. Verify your cloud contract terms and confirm with your SAP account team or cloud operations team that the relevant security notes have been applied to your instance.
The Bottom Line
CVE-2026-44748 and CVE-2026-27671 are the kind of vulnerabilities that end careers and make headlines — not because they’re novel in concept, but because they’re broadly deployed, publicly exploitable, and catastrophic in impact. SAP NetWeaver sits at the centre of financial, operational, and HR data for thousands of organisations. A CVSS 9.9 authentication bypass and a CVSS 9.8 unauthenticated RCE in the same platform, with PoC code in the wild, is not a “schedule it for next quarter” situation.
If you’re running SAP NetWeaver in your organisation and haven’t validated your patch status today, stop reading and do it now. If you need help rapidly assessing your SAP security posture, hardening your network architecture around SAP ports, or standing up monitoring to detect exploitation attempts, my team is ready to act.
Ready to secure your SAP environment before attackers exploit these vulnerabilities? Book a security assessment with Sanjay Seth — we specialise in enterprise ERP and network security for India’s critical infrastructure.