The Third Nerve Center: SAP Just Patched Four Nine-Point Holes in the System That Runs Your Money — and One of Them Needs No Login.

Yesterday we wrote that the two systems an attacker most wants are the boring, trusted ones nobody thinks of as front doors — the service desk and the backup server — and that you should weight your attention toward the nerve centers rather than the perimeter. There is a third nerve center, and it patched four critical holes this week. SAP, the enterprise resource planning platform that runs the finance, supply chain, and human resources of a very large share of the world's big companies, released its June Security Patch Day with fifteen notes, four of them critical and clustered at the top of the severity scale. If the service desk is where the work is tracked and the backup is where recovery lives, SAP is where the money is — and the money is exactly what the extortion economy is built to reach.

The Two That Should Move Your Maintenance Window

Four critical bugs is a lot, but two of them define the urgency. The most severe by the numbers is CVE-2026-44748, rated 9.9, an XML Signature Wrapping vulnerability in the SAML authentication of SAP NetWeaver Application Server ABAP. In plain terms, it lets an attacker who already holds a low-privileged signed message tamper with the XML around it and have the verifier accept the modified identity — which means forged or escalated identity claims, access to data they should not see, and privilege escalation across connected systems. Signature wrapping is an old, vicious class of flaw precisely because it turns the authentication system itself into the thing that vouches for the attacker, and in an SAP estate where one ABAP system federates trust to many others, a believable forged identity does not stay contained to one box.

The one I would actually patch first, though, is CVE-2026-27671, rated 9.8, a memory-corruption flaw in the Application Server ABAP kernel reached through improper validation of the RFC protocol — because unlike the SAML bug, it is unauthenticated. An attacker does not need any credentials. They send a specially crafted RFC request, exploit logical errors in how the kernel manages memory, and land a high-impact compromise of confidentiality, integrity, and availability on the core of the system. RFC is the connective tissue of an SAP landscape, frequently reachable between systems and sometimes exposed further than anyone intends, and an unauthenticated memory-corruption bug in the kernel that speaks it is the kind of thing ransomware and extortion crews build access tooling around. The other two criticals round out the picture and are not afterthoughts: a Spring Security flaw in SAP Commerce Cloud and Data Hub, CVE-2026-22732 at 9.1, unauthenticated and remote; and a directory-traversal bug, CVE-2026-40128 at 9.0, where an unauthenticated attacker crafts a malicious logon request that escapes the application directory through path-traversal sequences to read or modify files. Three of the four critical bugs require no login at all.

SAP Is A Repeat Name On The Exploited List, Not An Unlucky One

This is the part that should change how you prioritize it. SAP NetWeaver is not a system that occasionally has a bad month; it is a recurring entry on the Known Exploited Vulnerabilities catalog. The catalog already carries the NetWeaver missing-authentication flaw that let unauthenticated users create administrative accounts, the Invoker Servlet bug that gave unauthenticated remote code execution, multiple directory traversals, a SQL injection in the J2EE engine, and an unrestricted file upload — a years-long pattern of internet-reachable, often-unauthenticated holes in a platform that sits at the financial center of the enterprise. Read this June batch against that history and the message is the same one we keep arriving at from different vendors: the systems most central to how a business runs and pays and recovers are under sustained structural pressure, and a critical SAP note is not a routine patch-queue item to be scheduled for next quarter. It is a hole in the floor of the room where the money is kept.

What A Defender Does

Patch the four criticals on a real timeline, and lead with CVE-2026-27671 because it is unauthenticated and it is in the kernel. Beyond the patches, treat RFC and SAP's network exposure as a first-class attack surface: an SAP system reachable from anywhere it does not strictly need to be reachable from is the precondition for the unauthenticated bugs, and pulling RFC and the application server behind tight network segmentation removes the precondition for most of this batch at once, the same way an exposed file-transfer server or backup server does. Inventory which of your SAP systems are internet-facing or reachable from low-trust network segments and treat those as the priority. And take the franchise lesson we have now written three days running, across the service desk, the backup server, and the books: the highest-leverage place to look is not the firewall, it is the trusted internal system that everything else depends on and that nobody is watching closely — because that is the one an attacker treats as the master key, and SAP is the master key to the money.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register