SAP's July 2026 security update included CVE-2026-44747, an out-of-bounds write vulnerability in NetWeaver Application Server ABAP with a CVSS score of 9.9. This flaw allows an authenticated attacker to read or modify arbitrary memory, potentially leading to unauthorized data access or system compromise. SAP also patched CVE-2026-44761, a default credential issue in Commerce Cloud that enables unauthorized data access.
Timeline
While there's no public exploitation timeline for these vulnerabilities, the sequence is critical:
- SAP released patches in their July 2026 security update.
- Onapsis published vulnerability details and workarounds.
- The NIST National Vulnerability Database cataloged the flaws with technical descriptions.
The risk lies in the window between disclosure and patch deployment. If you're running NetWeaver ABAP or Commerce Cloud and haven't applied these patches, you're operating with known critical vulnerabilities.
Which Controls Failed
Memory safety validation. CVE-2026-44747 is an out-of-bounds write flaw. Your application shouldn't allow memory operations outside allocated boundaries. This is a logical error in memory management that bypassed existing input validation.
Secure defaults. CVE-2026-44761 stems from default credentials in SAP Commerce Cloud. Default credentials are a known vulnerability. If your deployment process doesn't enforce credential changes during initial setup, you've built in a vulnerability from day one.
ICF node configuration. The workaround for CVE-2026-44747 involves disabling all ICF nodes with a specific property in transaction SICF. This indicates the vulnerable code path runs through Internet Communication Framework services. If you're not auditing which ICF services are enabled and why, you don't know your attack surface.
Patch lag. The biggest control failure isn't technical. It's the gap between patch availability and deployment. SAP released fixes. The question is: how long until they're running in your environment?
What Standards Require
NIST 800-53 Rev 5 SI-2 (Flaw Remediation) requires organizations to identify, report, and correct system flaws. The control specifies remediation time frames based on risk. A CVSS 9.9 vulnerability demands immediate action. SI-2(2) adds automated patch management tools to the requirement.
PCI DSS v4.0.1 Requirement 6.3.3 states you must deploy security patches within one month of release for critical patches. A 9.9 CVSS score qualifies. If cardholder data touches your SAP environment, you're out of compliance until these patches deploy.
ISO/IEC 27001:2022 Control 8.8 covers management of technical vulnerabilities. You need a process to identify vulnerabilities, assess risk, and apply patches. The standard requires documented procedures and timelines.
SOC 2 Type II CC7.1 covers system monitoring and vulnerability management. Your auditor will ask: how do you identify critical vulnerabilities? What's your remediation timeline? Can you prove patches deployed within your policy window?
The workaround for CVE-2026-44747 involves disabling ICF nodes in transaction SICF. Workarounds buy time, but they're not remediations. Standards require you to apply the actual patch, not just mitigate the risk indefinitely.
Lessons and Action Items
Build a SAP-specific patch process. SAP releases security notes monthly. You need a dedicated workflow: subscribe to SAP security notifications, review notes within 24 hours, assess impact on your landscape, test patches in development, and deploy to production based on severity. A 9.9 should move through this pipeline in days, not weeks.
Audit your ICF services now. Open transaction SICF. List all active services. For each one, ask: do we need this? What does it do? Who can access it? Disable anything you can't justify. The workaround for CVE-2026-44747 targets specific ICF node properties. If you don't know what's running, you can't secure it.
Eliminate default credentials. CVE-2026-44761 exploits default credentials in Commerce Cloud. Run a credential audit across your SAP landscape. Check for default users, unchanged initial passwords, and shared service accounts. Force password changes on first login. Better yet, use certificate-based authentication where possible.
Test your memory safety assumptions. Out-of-bounds write vulnerabilities like CVE-2026-44747 bypass input validation. If you're running custom ABAP code, review it for memory operations. Use SAP Code Vulnerability Analyzer (CVA) to scan for common flaws. Don't assume SAP's standard code is the only risk.
Measure your patch lag. Calculate the median time between SAP security note release and production deployment. If it's over 30 days for critical patches, you're failing PCI DSS v4.0.1 Requirement 6.3.3. Track this metric monthly. Your goal: critical patches in production within two weeks.
Document your workarounds. If you deploy the ICF node workaround for CVE-2026-44747, document it. Set a reminder to remove the workaround after you apply the patch. Workarounds that become permanent are technical debt that auditors will flag.
Automate vulnerability scanning. You can't patch what you don't know about. Use tools that scan your SAP landscape for missing security notes. Onapsis, SAP Solution Manager, and third-party tools can identify gaps. Run scans weekly, not quarterly.
The core lesson: SAP vulnerabilities don't wait for your change control board to meet. A CVSS 9.9 flaw in NetWeaver ABAP is an emergency. Your patch process needs to handle emergencies without breaking production. If you can't deploy a critical SAP patch within two weeks, fix your process before the next vulnerability drops.



