Full Report
SAP security advisory – July 2026 monthly rollup (AV26-690)
Analysis Summary
# Vulnerability: SAP Security Advisory – July 2026 Monthly Rollup
## CVE Details
*Note: Specific CVE IDs for the July 2026 cycle are typically indexed within the SAP Support Portal link provided in the advisory.*
- **CVE ID:** CVE-2026-XXXXX (Multiple)
- **CVSS Score:** Up to 10.0 (Critical)
- **CWE:** Included categories typically involve Improper Access Control, Cross-Site Scripting (XSS), and Improper Input Validation.
## Affected Systems
- **Products & Versions:**
- **SAP Approuter (node.js):** Versions < 20.10.0 and < 21.2.0
- **SAP Change and Transport System Attach Tool (ctsattach):** Version CTS_UPLOAD_CLT 1
- **SAP Commerce Cloud:** HY_COM 2205, COM_CLOUD 2211, and 2211-JDK21
- **SAP CRM (WebClient UI):** S4FND 104, 105, 106
- **SAP Fiori (launchpad):** SAP_UI 754 through 758, and 816
- **SAP Integration Suite (Edge Integration Cell):** Versions < 8.43.11
- **SAP HANA (User Self Service):** HDB 2.00
- **SAP NetWeaver AS ABAP (Kernel):** KERNEL 7.22 to 9.20 (Various builds)
- **SAP NetWeaver AS Java:** SERVERCORE 7.50, CORE-TOOLS 7.50, J2EE-APPS 7.50
- **SAP NetWeaver Enterprise Portal:** EP-RUNTIME 7.50
- **SAProuter (Windows):** KRNL64NUC/UC 7.22 to 9.18
- **SAP S/4 HANA:** S4CORE 102 through 109
## Vulnerability Description
This monthly rollup addresses a cluster of vulnerabilities ranging from low to critical severity. The critical components involve:
1. **SAP Approuter/Integration Suite:** Vulnerabilities in node.js packages that could lead to unauthorized access or remote code execution.
2. **SAP NetWeaver AS Java (Configuration Wizard):** Potential for complete administrative compromise if not patched.
3. **SAProuter (Windows):** Flaws in the communication proxy that may allow unauthorized network traversal.
4. **Business Server Pages (BSP):** Cross-site scripting and injection flaws in legacy web frameworks.
## Exploitation
- **Status:** Not currently reported as exploited in the wild (at time of release).
- **Complexity:** Low to Medium (depending on the specific component).
- **Attack Vector:** Primarily Network.
## Impact
- **Confidentiality:** High (Critical data exposure possible in Commerce Cloud/NetWeaver).
- **Integrity:** High (Modification of system configurations via AS Java).
- **Availability:** High (Potential for Denial of Service in SAProuter).
## Remediation
### Patches
SAP recommends applying the following Security Notes specifically:
- **SAP Approuter:** Upgrade to node.js package version 20.10.0 or 21.2.0.
- **SAP Integration Suite:** Upgrade Edge Integration Cell to version 8.43.11 or higher.
- **Kernel Updates:** Apply the latest Patch Level for SAP Kernels 7.22 through 9.20.
### Workarounds
- **SAProuter:** Restrict access via `SAProuttab` to known IP ranges only.
- **AS Java:** Disable the Configuration Wizard if not actively in use for initial setup.
- **General:** Implement network-level filtering to restrict access to SAP management ports (e.g., 5xx00, 32xx, 33xx).
## Detection
- **Indicators of Compromise:** Unusual administrative logins, unauthorized transport requests in `ctsattach`, or unexpected outbound traffic from the SAProuter.
- **Detection Methods:**
- Utilize the **SAP EarlyWatch Alert** service.
- Run the **SAP Security Optimization Configurer**.
- Monitor system logs for `HTTP 500` errors or unusual script execution in BSP applications.
## References
- SAP Support Portal: hxxps[://]support[.]sap[.]com/en/my-support/knowledge-base/security-notes-news/july-2026[.]html
- Canadian Centre for Cyber Security: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/sap-security-advisory-july-2026-monthly-rollup-av26-690