ZeroPath at Black Hat USA 2026

SAP NetWeaver ABAP CVE-2026-44748: Brief Summary of a Critical XML Signature Wrapping Vulnerability

A brief summary of CVE-2026-44748, a CVSS 9.9 XML Signature Wrapping vulnerability in SAP NetWeaver ABAP that allows authenticated attackers to tamper with signed XML documents and bypass identity verification. Includes patch information and affected version details.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-08

SAP NetWeaver ABAP CVE-2026-44748: Brief Summary of a Critical XML Signature Wrapping Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

For the second time in four months, SAP has patched a critical XML Signature Wrapping vulnerability in NetWeaver Application Server ABAP, this time carrying a CVSS score of 9.9. CVE-2026-44748 allows an authenticated attacker with ordinary privileges to tamper with signed XML documents in a way that the system's signature verifier accepts as legitimate, opening the door to identity spoofing, unauthorized data access, and system disruption across what could be tens of thousands of enterprise environments.

SAP ERP holds approximately 10.93% of the global ERP market with 28,676 customer organizations, meaning a critical flaw in the NetWeaver ABAP stack has an outsized blast radius. The fact that this vulnerability shares the same root cause (CWE-347: Improper Verification of Cryptographic Signature) and nearly identical description as CVE-2026-23687, patched just four months earlier in February 2026, raises pointed questions about whether the underlying signed XML processing architecture in SAP NetWeaver ABAP needs more than incremental fixes.

Technical Information

Root Cause: Improper Verification of Cryptographic Signature (CWE-347)

CVE-2026-44748 falls under CWE-347, defined by MITRE as occurring when "the product does not verify, or incorrectly verifies, the cryptographic signature for data." CWE-347 is a child of CWE-345 (Insufficient Verification of Data Authenticity) and maps to OWASP Top 10 category A04:2025 (Cryptographic Failures).

The core issue is a structural disconnect in the SAP ABAP XML signature verification logic. When the system receives a signed XML document, it validates the cryptographic signature against an element identified by an ID based URI reference. However, the application logic that subsequently processes the document does not ensure that the validated element is the same element it actually consumes. This gap between "what was verified" and "what gets used" is the textbook precondition for an XML Signature Wrapping attack.

Think of it like a wax seal on a letter: the system checks that the seal is real, but not that the letter itself has been rewritten underneath it.

Attack Flow

The exploitation of CVE-2026-44748 follows a well understood XML Signature Wrapping pattern:

Step 1: Obtain a valid signed message. An authenticated attacker with normal (low) privileges captures or obtains a legitimately signed XML document from the SAP system. This could be a SAML assertion, a signed identity document, or any other XML structure that the system processes with signature verification.

Step 2: Restructure the XML document. The attacker moves the original signed element to a different location within the XML document tree. In its original position, the attacker inserts a new, tampered element containing modified identity information. The cryptographic signature remains mathematically valid because it still references the original (now relocated) element via its ID attribute.

Step 3: Submit the modified document to the verifier. The attacker sends the restructured XML document to the SAP ABAP signature verifier. The verifier locates the signed element by its ID reference, validates the signature successfully, and returns a positive verification result. The application logic then processes the tampered element that now sits in the structural position the application expects, accepting the forged identity information as authentic.

Attack Parameters

ParameterValue
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow (authenticated, normal privileges)
User InteractionNone
Confidentiality ImpactHigh
Integrity ImpactHigh
Availability ImpactHigh
CVSS Score9.9
CWECWE-347
CNASAP SE

The requirement for only authenticated access with normal privileges is a relatively low bar. Any user with a valid SAP account, including service accounts, contractors, or accounts obtained through credential theft, can potentially exploit this vulnerability. The high impact across all three CIA dimensions reflects the fact that a single successful exploit can exfiltrate sensitive data, modify identity information to escalate privileges, and disrupt system availability simultaneously.

CWE-347 is associated with CAPEC-475 (Signature Spoofing by Improper Validation), which systematically targets gaps in cryptographic verification logic. The XML Signature Wrapping technique used here is a specific instance of CAPEC-475, where the verifier is tricked into accepting tampered data because signature verification is performed on a different data object than the one the application actually consumes.

Connection to CVE-2026-23687

A nearly identical vulnerability, CVE-2026-23687, was addressed in the February 2026 SAP Security Patch Day under SAP Note 3697567. That CVE carried the same description: "SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier." The Tenable Nessus plugin 298966 was created specifically to detect this class of XML Signature Wrapping vulnerability in SAP NetWeaver AS ABAP. The recurrence of this same vulnerability pattern in CVE-2026-44748 suggests the initial patch may have been incomplete, that additional attack variants were discovered, or that the underlying architecture has multiple points where the same class of flaw manifests.

Identity Infrastructure Implications

XML Signature Wrapping attacks target identity and authentication infrastructure, including SAML assertions and signed identity documents. A successful exploit does not just compromise a single transaction; it undermines the entire trust model of the affected SAP system. If an attacker can forge identity information that the system accepts as cryptographically verified, they can impersonate any user, escalate privileges, and move laterally across the SAP landscape.

Patch Information

SAP has released Security Note 3746332 as part of the June 9, 2026 SAP Security Patch Day to remediate CVE-2026-44748. Given the CVSS 9.9 score, SAP categorizes this as a highest priority note, and administrators should treat it as an emergency deployment rather than a routine patch cycle item.

The fix corrects the signature verification logic within the ABAP platform so that modified XML documents are properly rejected during the verification step. The patch covers the following SAP_BASIS versions:

  • SAP_BASIS 702, 731, 740
  • SAP_BASIS 750 through 758
  • SAP_BASIS 816, 918, 919

Versions not in this list carry a default status of unaffected, meaning the flaw is scoped to these specific releases.

To apply the patch, administrators must download and implement SAP Security Note 3746332 via the SAP for Me portal. Detailed correction instructions, affected ABAP objects, and support package prerequisites are available within the note itself (SAP authentication required).

Organizations that have not yet applied SAP Note 3697567 for the related CVE-2026-23687 (February 2026) should treat both notes as priority remediation items, as the vulnerabilities share the same root cause and attack vector.

Compensating controls while patching is pending:

  • Restrict the number of users with SAP NetWeaver ABAP accounts, particularly those with normal privileges in environments processing signed XML documents
  • Deploy SAP specific security monitoring (such as Onapsis or SecurityBridge) to detect unusual signed XML document submissions or identity information changes
  • Implement network segmentation to limit network paths to SAP NetWeaver ABAP systems

Affected Systems and Versions

Based on the patch coverage in SAP Security Note 3746332, the following SAP_BASIS versions are confirmed affected:

  • SAP_BASIS 702
  • SAP_BASIS 731
  • SAP_BASIS 740
  • SAP_BASIS 750, 751, 752, 753, 754, 755, 756, 757, 758
  • SAP_BASIS 816
  • SAP_BASIS 918
  • SAP_BASIS 919

The affected product is SAP NetWeaver Application Server ABAP and ABAP Platform. Versions not listed above carry a default status of unaffected per the SAP Security Note. Organizations should consult SAP Note 3746332 directly for version specific applicability and any support package prerequisites.

Vendor Security History

SAP NetWeaver has a documented history of critical severity vulnerabilities that have drawn government alerts and active exploitation:

CVEYearCVSSTypeStatus
CVE-2020-6287202010.0LM Configuration Wizard (RECON)US-CERT alert issued
CVE-2025-313242025CriticalUnrestricted File Upload (Visual Composer)Actively exploited in the wild
CVE-2025-4295720259.9ABAP Code Injection (S/4HANA)CSA Singapore alert issued
CVE-2026-05072026CriticalOS Command Injection (ABAP + RFCSDK)Patched January 2026
CVE-2026-236872026HighXML Signature Wrapping (ABAP)Patched February 2026
CVE-2026-4474820269.9XML Signature Wrapping (ABAP)Patched June 2026

The 2026 SAP Security Patch Day cadence has shown a consistent volume of critical and high severity vulnerabilities, with at least one CVSS 9.0+ vulnerability per month through April. The recurrence of CWE-347 XML Signature Wrapping vulnerabilities in the same product within four months is particularly notable and suggests the signed XML handling architecture in SAP NetWeaver ABAP may require a more fundamental redesign rather than point patches.

The confirmed active exploitation of CVE-2025-31324, where threat actors uploaded JSP web shells to SAP NetWeaver servers, demonstrates that SAP NetWeaver weaknesses are actively targeted by threat actors. Palo Alto Unit 42, Onapsis, Horizon3.ai, and TXOne Networks all documented active exploitation campaigns against SAP NetWeaver in 2025, with exploitation observed before public disclosure in some cases.

While no public sources confirm active exploitation of CVE-2026-44748 specifically as of its June 9, 2026 publication date, the combination of a low exploitation barrier, well documented XML Signature Wrapping techniques with published research and tooling, and the demonstrated threat actor interest in SAP NetWeaver vulnerabilities elevates the likelihood of near term exploitation.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization