Skip to content

SAP Patch Day June 2026 - two critical notes at the heart of ABAP

June's SAP Patch Day brought two HotNews notes striking at Application Server ABAP: XML Signature Wrapping in SAML (CVSS 9.9) and Memory Corruption in the RFC protocol (CVSS 9.8). The second does not even require authentication. This is a priority for this week, not a patch for later.

June’s SAP Patch Day brought two HotNews notes striking at the foundation of most SAP landscapes - Application Server ABAP. Both carry a severity rating that cannot be left “for later”.

Abstract visualisation of two critical vulnerabilities at the core of SAP being sealed by patches - SNOK Aurora style

Note #3746332 - CVSS 9.9

XML Signature Wrapping in SAML authentication. A logged-in user with low privileges can craft a signed XML document and impersonate another user’s identity. The result is access to sensitive data and disruption to system operation.

Temporary workaround: disable SAML until the patch is deployed.

Note #3717897 - CVSS 9.8

Memory Corruption in the RFC protocol. Here, an account is not even required - an unauthenticated attacker sends a crafted RFC request and exploits a flaw in memory management.

The absence of a required authentication step means there is no natural barrier to entry.

What this means in practice

ABAP is not a peripheral component. It is the core underpinning finance, logistics and HR. A vulnerability rated 9.8 with no login requirement means that exposing RFC interfaces to the network becomes a real attack vector - not a theoretical one.

Our recommendations

  1. Prioritise both notes in the next available maintenance window - this is not a patch “for later”.
  2. Verify the exposure of RFC and SAML interfaces beyond the trusted network boundary.
  3. Where the patch cannot be deployed immediately - apply the SAML workaround and control access to the RFC gateway.

Patch Day can overwhelm with the sheer number of notes. These two, however, are not noise - they are a priority for the current week.

We deliver continuous monitoring of changes, transactions, RFC and ABAP configuration using the SecurityBridge platform - shortening the cycle from note publication to response from weeks to hours. We write more broadly about response obligations in the context of NIS2 / DORA / KSC audits for SAP.

And how does the process of deploying critical SAP notes look in your organisation - planned, or only “when something happens”? We would be happy to discuss it.


Source: SAP Security Patch Day (June 2026), Onapsis Research Labs, support.sap.com.

Tematy: Safe Tuesday sap-security SAP NetWeaver SecurityBridge PatchDay

Get in touch