The Hacker News

כתבה מובילה

SAP Patches CVSS 9.9 NetWeaver ABAP Flaw That Could Expose or Modify Data

SAP has rolled out updates to address multiple vulnerabilities as part of its July 2026 security updates, including a critical flaw in SAP NetWeaver Application Server ABAP. The vulnerability in question is CVE-2026-44747 (CVSS score: 9.9), an out-of-bounds write flaw that allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could

14 ביולי 2026, 18:17מאת info@thehackernews.com (The Hacker News)3 דק׳ קריאהcybersecurity
SAP Patches CVSS 9.9 NetWeaver ABAP Flaw That Could Expose or Modify Data

SAP has rolled out updates to address multiple vulnerabilities as part of its July 2026 security updates, including a critical flaw in SAP NetWeaver Application Server ABAP. The vulnerability in question is CVE-2026-44747 (CVSS score: 9.

9), an out-of-bounds write flaw that allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could lead to unauthorized data access, modification, or system unavailability.

Also addressed by SAP are two other critical vulnerabilities - "If left unchanged, an unauthenticated attacker could use these well-known credentials to obtain a valid access token and invoke certain APIs to read and modify data," according to a description of CVE-2026-44761 in the NIST National Vulnerability Database (NVD).

"Successful exploitation results in high impact on confidentiality and integrity, with no impact on availability." Onapsis noted that the vulnerability stems from sample configuration scripts previously provided in the SAP Help Portal. These scripts, originally meant for development and testing, configure OAuth 2.

0 clients with hard-coded, well-known credentials. "Older versions of the documentation did not explicitly warn customers against importing these default settings into production," it noted. "An unauthenticated attacker can leverage these publicly available, default credentials to obtain a valid access token.

With this token, they can invoke specific APIs to read and alter system data. Exploitation requires that the customer executed the sample script and retained the resulting OAuth 2. 0 client in production without replacing the hard-coded secret."

Although there is no evidence of the flaws being exploited in the wild, it's advised to apply the necessary updates for optimal protection. Learn how to secure AI agents with practical controls for access, visibility, secrets, and risk containment.

Learn how to govern risk, secure AI-built software, and keep control as development moves at machine speed.

להמשך הקריאה אצל המו"ל

אפשר להמשיך לאתר המקור אחרי חוויית הקריאה המלאה בתוך האפליקציה.

קריאה באתר המקור
טוען...