<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>SAP SE - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/sap-se/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 14 Jul 2026 01:21:17 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/sap-se/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-44752: SAP NetWeaver Application Server Java Cross-Site Scripting Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-sap-netweaver-xss/</link><pubDate>Tue, 14 Jul 2026 01:21:17 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-sap-netweaver-xss/</guid><description>An unauthenticated attacker can exploit a cross-site scripting (XSS) vulnerability (CVE-2026-44752) in SAP NetWeaver Application Server Java by injecting malicious JavaScript through crafted URLs, leading to client-side script execution, access to sensitive session information, and modification of non-sensitive data, resulting in high confidentiality impact and low integrity impact.</description><content:encoded><![CDATA[<p>A critical client-side cross-site scripting (XSS) vulnerability, identified as CVE-2026-44752, has been discovered in SAP NetWeaver Application Server Java, specifically affecting Configuration Wizard (LMCTC 7.50). This vulnerability allows an unauthenticated attacker to inject arbitrary malicious JavaScript code into a crafted URL. When a victim accesses this malicious URL, the embedded script executes within their browser in the context of the vulnerable SAP application. This client-side execution grants the attacker the ability to access and potentially exfiltrate sensitive session-related information, such as cookies or session tokens, and to modify non-sensitive data displayed to the user. The exploitation leads to a high impact on confidentiality and a low impact on integrity, with no impact on the availability of the application.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Malicious URL Crafting</strong>: An unauthenticated attacker identifies a vulnerable SAP NetWeaver Application Server Java instance that improperly sanitizes URL input. The attacker crafts a malicious URL containing injected JavaScript code designed to perform actions within the victim's browser.</li>
<li><strong>Victim Enticement</strong>: The attacker distributes the crafted URL to a potential victim, typically employing social engineering tactics such as phishing emails, instant messages, or compromised websites, to persuade the victim to click the malicious link.</li>
<li><strong>Client-Side Request</strong>: Upon clicking the link, the victim's web browser sends an HTTP request containing the crafted URL to the vulnerable SAP NetWeaver Application Server Java.</li>
<li><strong>Vulnerable Server Response</strong>: The SAP NetWeaver Application Server Java, due to CVE-2026-44752, processes the crafted URL and incorporates the attacker's malicious JavaScript directly into the HTML response without adequate sanitization.</li>
<li><strong>Malicious Script Execution</strong>: The victim's web browser receives the server's response and executes the embedded malicious JavaScript within the security context of the legitimate SAP NetWeaver Application Server Java domain.</li>
<li><strong>Session Information Exfiltration</strong>: The executed JavaScript accesses and exfiltrates sensitive session information, such as authentication cookies, session tokens, or other client-side credentials, back to an attacker-controlled server.</li>
<li><strong>Impersonation and Data Manipulation</strong>: The attacker utilizes the stolen session information to hijack the victim's session, impersonate the victim within the SAP application, or manipulate non-sensitive data displayed in the victim's browser, potentially leading to unauthorized actions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-44752 allows an attacker to compromise the confidentiality of user sessions by stealing sensitive data like authentication tokens or cookies. This could lead to unauthorized access to the victim's SAP application session. While the integrity impact is described as low, an attacker can modify non-sensitive data displayed in the victim's browser, which could be used for further deception or targeted attacks. There is no direct impact on the availability of the SAP NetWeaver application itself. The lack of authentication required for exploitation makes this a significant risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-44752 on all affected SAP NetWeaver Application Server Java instances immediately by applying the updates referenced in SAP Security Note 3748227.</li>
<li>Implement robust content security policies (CSPs) on web servers hosting SAP NetWeaver to mitigate client-side script injection risks, even if server-side sanitization fails.</li>
<li>Educate users on identifying and avoiding suspicious URLs and phishing attempts to prevent them from accessing crafted malicious links.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>xss</category><category>sap</category><category>java</category><category>web-vulnerability</category></item><item><title>Unauthenticated Arbitrary Code Execution in SAProuter via DLL Hijacking (CVE-2026-0487)</title><link>https://feed.craftedsignal.io/briefs/2026-07-saprouter-cve-2026-0487/</link><pubDate>Tue, 14 Jul 2026 01:20:05 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-saprouter-cve-2026-0487/</guid><description>An unauthenticated attacker can exploit CVE-2026-0487, a vulnerability in SAProuter running on Microsoft Windows, by loading malicious DLL files from an untrusted location, allowing them to execute arbitrary code on the affected system with high impact on confidentiality, integrity, and availability.</description><content:encoded><![CDATA[<p>CVE-2026-0487 describes a critical vulnerability in SAProuter on Microsoft Windows, allowing an unauthenticated attacker to achieve arbitrary code execution through DLL hijacking. The flaw enables the router to load library (DLL) files from untrusted locations, which an attacker can exploit to execute malicious code. This vulnerability, stemming from an uncontrolled search path element (CWE-427), has a CVSS v3.1 base score of 8.4, indicating a high impact on the confidentiality, integrity, and availability of the affected system. Multiple versions of SAProuter are impacted, including KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.53, SAP_ROUTER 7.53, 7.54, KERNEL 7.22, 7.77, 7.89, 7.93, 9.16, 9.17, and 9.18. Organizations using vulnerable SAProuter versions on Windows should prioritize patching to mitigate this severe risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: An unauthenticated attacker gains network access to the target system running SAProuter.</li>
<li><strong>Vulnerability Identification</strong>: The attacker identifies an untrusted or non-standard directory within SAProuter's DLL search path that can be written to, either due to inherent design flaws (CWE-427) or another vulnerability.</li>
<li><strong>Malicious DLL Placement</strong>: The attacker places a specially crafted malicious DLL (e.g., <code>ws2_32.dll</code> impersonation, or other known loadable DLLs) into the identified untrusted directory.</li>
<li><strong>Legitimate Operation Trigger</strong>: When the SAProuter process performs an action that requires loading a legitimate system DLL (e.g., during startup or routine operations), its uncontrolled search path prioritizes the untrusted directory.</li>
<li><strong>Malicious DLL Loading</strong>: SAProuter, unaware of the malicious intent, loads and attempts to execute the attacker's DLL instead of the legitimate one.</li>
<li><strong>Arbitrary Code Execution</strong>: The malicious code embedded within the attacker's DLL is executed within the security context of the SAProuter process, allowing the attacker to gain full control over the process and potentially the underlying system.</li>
<li><strong>Impact</strong>: The attacker can then perform various post-exploitation activities, such as establishing persistence, exfiltrating sensitive data, or deploying additional malware.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-0487 allows an unauthenticated attacker to achieve arbitrary code execution on the compromised system. This leads to a severe impact on the confidentiality, integrity, and availability of the system where SAProuter is installed. Attackers can gain full control over the affected SAProuter process, potentially leading to unauthorized access to SAP systems, data manipulation, or denial-of-service conditions. Given the critical role of SAProuter in connecting SAP systems to external networks, a compromise could have widespread implications for an organization's business operations and data security. The specific number of potential victims or targeted sectors is not provided, but any organization using vulnerable SAProuter versions on Microsoft Windows is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-0487</strong>: Immediately apply the security patches provided by SAP SE, referenced by SAP Note 3692165 and the SAP Security Patch Day updates.</li>
<li><strong>Monitor for Suspicious DLL Loading</strong>: Deploy the provided Sigma rule to your SIEM to detect <code>SAProuter.exe</code> loading DLLs from unusual or non-standard paths, which could indicate exploitation attempts of CVE-2026-0487.</li>
<li><strong>Enable Sysmon Event ID 7</strong>: Ensure Sysmon Event ID 7 (ImageLoad) logging is enabled on all Windows systems running SAProuter to capture DLL loading activities required by the detection rule.</li>
<li><strong>Review SAProuter Configurations</strong>: Regularly audit SAProuter configurations to ensure that its DLL search paths do not include user-writable or untrusted locations.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>dll-hijacking</category><category>code-execution</category><category>vulnerability</category><category>cve</category></item><item><title>Exploitation of CVE-2026-44747 in SAP NetWeaver ABAP via Memory Corruption</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-44747-sap-netweaver/</link><pubDate>Tue, 14 Jul 2026 01:18:54 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-44747-sap-netweaver/</guid><description>An authenticated attacker can exploit CVE-2026-44747, an out-of-bounds write vulnerability in SAP NetWeaver Application Server ABAP, to cause memory corruption leading to unauthorized data access, modification, or system unavailability, severely impacting confidentiality, integrity, and availability.</description><content:encoded><![CDATA[<p>CVE-2026-44747 details a critical vulnerability impacting SAP NetWeaver Application Server ABAP across multiple kernel versions, including KRNL64NUC 7.22, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 9.19, and 9.20. This flaw, categorized as an out-of-bounds write (CWE-787), allows an authenticated attacker to trigger logical errors within the application's memory management. Successful exploitation results in memory corruption, enabling attackers to gain unauthorized access to sensitive data, modify existing data, or disrupt the availability of the SAP application. The vulnerability poses a significant risk to organizations using affected SAP NetWeaver ABAP systems, with a CVSS v3.1 Base Score of 9.9, indicating high impact on confidentiality, integrity, and availability.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: An attacker first obtains valid credentials to an affected SAP NetWeaver Application Server ABAP instance through various means, such as credential compromise or insider threats.</li>
<li><strong>Vulnerability Exploitation</strong>: The authenticated attacker crafts and sends specific inputs or requests that target logical errors in the server's memory management functions.</li>
<li><strong>Memory Corruption Trigger</strong>: These crafted inputs cause an out-of-bounds write (CWE-787) within the SAP NetWeaver ABAP application's memory space, leading to memory corruption.</li>
<li><strong>Unauthorized Data Access</strong>: The attacker leverages the corrupted memory to read sensitive or confidential data stored within the application's process memory.</li>
<li><strong>Data Modification</strong>: Alternatively, the attacker may write to unauthorized memory locations to alter critical application data, configurations, or system parameters.</li>
<li><strong>System Unavailability</strong>: In severe cases, the memory corruption can lead to the instability, crash, or complete denial of service for the SAP NetWeaver Application Server ABAP instance.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-44747 has a severe impact on the affected SAP NetWeaver Application Server ABAP. Attackers can achieve unauthorized access to confidential business data, modify crucial operational information, or render the system completely unavailable. This directly compromises the confidentiality, integrity, and availability of critical business processes and data managed by the SAP system. For organizations relying on these systems, this could lead to significant financial losses, operational disruption, regulatory penalties, and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-44747 on all affected SAP NetWeaver Application Server ABAP instances immediately by applying the security updates provided by SAP SE, as referenced in the SAP security notes.</li>
<li>Implement strong authentication policies and monitor for unusual login attempts to mitigate the &quot;authenticated attacker&quot; component of the attack chain.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>cve-2026-44747</category><category>memory-corruption</category><category>sap</category><category>netweaver</category><category>abap</category><category>out-of-bounds-write</category></item><item><title>SAP Approuter HTTP Request Smuggling Vulnerability Allows Confidentiality and Availability Impact (CVE-2026-27690)</title><link>https://feed.craftedsignal.io/briefs/2026-07-sap-approuter-request-smuggling/</link><pubDate>Tue, 14 Jul 2026 01:17:56 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-sap-approuter-request-smuggling/</guid><description>An HTTP Request Smuggling vulnerability (CVE-2026-27690, CWE-444) in SAP Approuter allows an unauthenticated attacker to send a specially crafted HTTP request leading to request-response desynchronization, which can result in the exposure of user responses and cause a denial of service by making the system unavailable.</description><content:encoded><![CDATA[<p>SAP Approuter, specifically versions older than 20.10.0 of its Node.js package, is affected by a critical HTTP Request Smuggling vulnerability, identified as CVE-2026-27690 (CWE-444). This flaw allows an unauthenticated attacker to manipulate HTTP requests, leading to request-response desynchronization between a frontend proxy/load balancer and the backend Approuter server. By exploiting this desynchronization, an attacker can expose sensitive user responses, compromising confidentiality. Furthermore, the vulnerability can also be leveraged to trigger internal server errors or resource exhaustion, effectively rendering the system unavailable and leading to a denial of service. The vulnerability has a CVSS v3.1 base score of 9.1, indicating a severe risk to affected deployments.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies an internet-facing SAP Approuter instance vulnerable to HTTP Request Smuggling.</li>
<li>The attacker crafts a malicious HTTP request that uses conflicting methods for determining message length (e.g., <code>Content-Length</code> and <code>Transfer-Encoding: chunked</code>) to exploit differences in how a frontend proxy/load balancer and the backend Approuter server process the request.</li>
<li>The frontend proxy/load balancer processes the request according to one method, while the backend SAP Approuter interprets it using another, leading to a desynchronized state.</li>
<li>The attacker's &quot;smuggled&quot; request or parts of it are left in the connection buffer on the backend server, where it gets prepended to subsequent legitimate user requests.</li>
<li>This can result in the attacker intercepting and exfiltrating sensitive data contained in responses intended for legitimate users.</li>
<li>Alternatively, the desynchronization and malformed requests can cause the Approuter to encounter errors, deplete resources, or crash.</li>
<li>This leads to the SAP Approuter application becoming unresponsive and unavailable to legitimate users, resulting in a denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-27690 can have severe consequences for organizations utilizing SAP Approuter. Attackers can gain unauthorized access to sensitive user data, including session tokens, credentials, or other confidential information transmitted through the application. This directly compromises the confidentiality of user interactions. Additionally, the vulnerability can be weaponized to perform denial-of-service attacks, making the SAP Approuter application inaccessible to legitimate users. This impacts business operations, disrupts critical processes, and can lead to significant financial and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Prioritize patching SAP Approuter instances to mitigate CVE-2026-27690 immediately. Apply the update referenced in the SAP security notes mentioned below to ensure SAP Approuter Node.js package versions are 20.10.0 or higher.</li>
<li>Regularly consult SAP's security patch day advisories via the <code>https://url.sap/sapsecuritypatchday</code> reference to stay informed about critical updates.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>http-request-smuggling</category><category>vulnerability</category><category>sap</category><category>web-application</category><category>denial-of-service</category><category>data-exposure</category></item></channel></rss>