Full Report
SAP security advisory – June 2026 monthly rollup (AV26-562)
Analysis Summary
# Vulnerability: SAP Security Patch Day - June 2026 Monthly Rollup
## CVE Details
*Note: As this is a high-level rollup advisory, specific CVE IDs for each component are mapped in the individual SAP Security Notes (see References).*
- **CVE ID:** Multiple (Part of June 2026 Rollup)
- **CVSS Score:** Range from Low to Critical (Specific scores vary by component)
- **CWE:** Multiple (Includes Injection, Improper Access Control, and Information Disclosure)
## Affected Systems
- **SAP NetWeaver AS ABAP & ABAP Platform:**
- SAP_BASIS versions: 700 through 758, 816, 918, 919
- Kernel versions: 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 91.9
- **SAP Commerce Cloud & Data Hub:** HY_COM 2205, HY_DHUB 2205, COM_CLOUD 2211 (including JDK21 variants)
- **SAP NetWeaver AS Java:** Web Container (ENGINEAPI 7.50), JDBC Test Servlet (BI_UDI 7.50), SERVERCORE 7.50
- **SAP Business Objects (BI Platform):** Versions 430, 2025, 2027
- **SAP S/4HANA:** S4FND 102 through 109
- **ODP Data Replication APIs:** DW4CORE, PI_BASIS, and SAP_BW variants
- **Peripheral Applications:** SAP Fiori (launchpad), SAP MDG, and SAP Wily Introscope Enterprise Manager
## Vulnerability Description
This rollup addresses a variety of security flaws across the SAP ecosystem. While specific technical details are restricted to customers via SAP Notes, the vulnerabilities typically include:
- **Improper Access Control** in SAP ABAP and Java stacks.
- **Remote Code Execution (RCE)** or **Insecure Deserialization** risks in legacy servlet components (e.g., JDBC Test Servlet).
- **Injection flaws** within SAP Business Objects and SAP S/4HANA.
- **Cross-Site Scripting (XSS)** and navigation risks in SAP Fiori launchpads.
## Exploitation
- **Status:** Not currently reported as exploited in the wild; however, PoC scripts for SAP Kernel and NetWeaver vulnerabilities often follow shortly after Patch Day.
- **Complexity:** Ranges from Low to Medium.
- **Attack Vector:** Primarily Network (Remote).
## Impact
- **Confidentiality:** High (Potential unauthorized data access)
- **Integrity:** High (Potential modification of business records)
- **Availability:** High (Potential Denial of Service/System instability)
## Remediation
### Patches
SAP recommends applying the following Support Packages and Security Notes immediately:
- **NetWeaver:** Apply relevant SAP_BASIS and Kernel patches for your specific version.
- **Commerce Cloud:** Transition to patched builds (2205/2211 series).
- **Business Objects:** Update to the latest Service Pack for Enterprise 430 or 2025/2027.
### Workarounds
- **Servlet Disabling:** For the JDBC Test Servlet (BI_UDI 7.50), consider disabling the servlet if not required for diagnostic purposes.
- **Network Segmentation:** Limit access to the SAP Management Console and internal application ports to authorized administrative subnets.
## Detection
- **Indicators of Compromise:** Unusual administrative logins, unauthorized execution of OS commands via the SAP Kernel, or repeated failed authentications in the Gateway logs.
- **Detection methods and tools:** Use the **SAP Solution Manager (SolMan)** System Recommendations to identify missing security notes. Perform scans using vulnerability scanners with updated SAP plugins.
## References
- **SAP Security Patch Day Portal:** hxxps[://]support[.]sap[.]com/en/my-support/knowledge-base/security-notes-news/june-2026[.]html
- **Canadian Centre for Cyber Security Advisory:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/sap-security-advisory-june-2026-monthly-rollup-av26-562