June’s SAP Patch Day brought two HotNews notes striking at the foundation of most SAP landscapes - Application Server ABAP. Both carry a severity rating that cannot be left “for later”.

Note #3746332 - CVSS 9.9
XML Signature Wrapping in SAML authentication. A logged-in user with low privileges can craft a signed XML document and impersonate another user’s identity. The result is access to sensitive data and disruption to system operation.
Temporary workaround: disable SAML until the patch is deployed.
Note #3717897 - CVSS 9.8
Memory Corruption in the RFC protocol. Here, an account is not even required - an unauthenticated attacker sends a crafted RFC request and exploits a flaw in memory management.
The absence of a required authentication step means there is no natural barrier to entry.
What this means in practice
ABAP is not a peripheral component. It is the core underpinning finance, logistics and HR. A vulnerability rated 9.8 with no login requirement means that exposing RFC interfaces to the network becomes a real attack vector - not a theoretical one.
Our recommendations
- Prioritise both notes in the next available maintenance window - this is not a patch “for later”.
- Verify the exposure of RFC and SAML interfaces beyond the trusted network boundary.
- Where the patch cannot be deployed immediately - apply the SAML workaround and control access to the RFC gateway.
Patch Day can overwhelm with the sheer number of notes. These two, however, are not noise - they are a priority for the current week.
We deliver continuous monitoring of changes, transactions, RFC and ABAP configuration using the SecurityBridge platform - shortening the cycle from note publication to response from weeks to hours. We write more broadly about response obligations in the context of NIS2 / DORA / KSC audits for SAP.
And how does the process of deploying critical SAP notes look in your organisation - planned, or only “when something happens”? We would be happy to discuss it.
Source: SAP Security Patch Day (June 2026), Onapsis Research Labs, support.sap.com.