SAP has issued its May 2026 security update bundle, addressing 15 vulnerabilities across its product portfolio with particular focus on two critical-severity flaws affecting Commerce Cloud and S/4HANA. The critical vulnerabilities pose significant risk to organizations running these enterprise systems, which handle sensitive business operations and customer data.

The Commerce Cloud platform, used by enterprises for large-scale e-commerce operations, contains one of the critical flaws that could enable attackers to compromise the system. The second critical vulnerability affects S/4HANA, SAP's flagship ERP suite that manages core business processes including finance, supply chain, and human resources for thousands of organizations worldwide.

While SAP has not disclosed specific technical details about the exploitation methods to prevent active attacks, the critical severity rating indicates these flaws could allow unauthorized access, data theft, or system compromise. The remaining 13 vulnerabilities in the May update range from high to medium severity, affecting various other SAP products and components.

Organizations running affected SAP systems face potential business disruption, data breaches, and compliance violations if these vulnerabilities are exploited. The critical nature of Commerce Cloud and S/4HANA in enterprise operations means successful attacks could impact revenue-generating activities and essential business functions.

SAP customers should prioritize applying these security updates immediately, particularly for Commerce Cloud and S/4HANA installations. Organizations should review SAP's security notes, test patches in non-production environments where possible, and implement the updates during planned maintenance windows. Security teams should also monitor for any unusual activity on SAP systems while patches are being deployed.

Source: https://www.bleepingcomputer.com/news/security/sap-fixes-critical-vulnerabilities-in-commerce-cloud-and-s-4hana/