Patch Tuesday Closes Exchange Flaw Exploited in the Wild and SAP Fixes SAML with CVSS 9.9

Exchange Exposure Window Lasted 26 Days

Microsoft released the June Patch Tuesday on Tuesday, with the most urgent piece of the package being the definitive fix for CVE-2026-42897. This vulnerability affects Exchange Server 2016, 2019, and Subscription Edition in on-premises deployments, and was disclosed on May 14, just two days after May's Patch Tuesday. Since then, attackers have been exploiting it in the wild.

The flaw is a cross-site scripting vulnerability in Outlook Web Access. The attacker sends an email with a specific payload, and when the recipient opens the message in OWA, the code executes in the victim's browser with Exchange session privileges. Microsoft 365 and Exchange Online are not affected; the issue is exclusive to on-premises. The Exchange Emergency Mitigation Service, enabled by default, has been providing automatic containment for the past three weeks, but the company confirms that only this Tuesday's update officially closes the vector.

Simultaneously, SAP announced its own Security Patch Day with fifteen notes. The most critical is CVE-2026-44748, a signature wrapping weakness in XML SAML that received a CVSS score of 9.9. An authenticated attacker with ordinary privileges can obtain a valid signed message, which paves the way for impersonation in systems that trust SAML assertions. SAP also addressed CVE-2026-27671, a memory corruption issue in the ABAP kernel of the Application Server, exploitable without authentication via malformed RFC requests.

The Target is the Corporate Backbone

The combination of these three CVEs strikes where it hurts. On-premises Exchange still hosts email and calendars for banks, law firms, hospitals, and governments that have postponed migration to Microsoft 365 for reasons of data sovereignty or legacy contracts. SAP S/4HANA and traditional ECC modules support ERPs for nearly all Fortune 500 companies. A signature wrapping in SAML breaks the trust between federated modules, which is exactly the vector that attackers seek in environments where Active Directory and SAP IdP run in parallel.

For the CISO, there are two parallel deadlines to manage this week. The Exchange patch needs to be applied before adversaries who are already exploiting CVE-2026-42897 realize the end of the mitigation window and intensify their campaign. The SAP patch, on the other hand, requires a longer maintenance window due to its production impact. The notes on the ABAP Application Server require regression testing before being applied in Tier 1 environments, and the unauthenticated nature of CVE-2026-27671 pressures for a rapid deployment.

Two Markets that Need to Coordinate Response

The combination is particularly important in geographies with a significant installed base of on-premises Exchange and SAP. Germany is exposed on both fronts: the BSI, the federal security authority, historically recommends caution in migrating email to the cloud in sectors such as healthcare and federal agencies, and the German SAP base is the largest in the world by vendor revenue. Japan has a similar profile in manufacturing and finance, with Mizuho and MUFG operating S/4HANA in hybrid environments that combine on-premises SAP and Exchange for regulatory segregation.

Brazil enters through the banking and government flank. The SAP base in major banks and local telecom operations is one of the deepest in Latin America, and the share of on-premises Exchange in federal agencies and courts remains above the global average. The combination of these three CVEs in a single Patch Tuesday forces CIOs and CISOs to redesign their maintenance window ranking for the next fortnight, with Active Directory and SAP IdP at the top of the list.

The Detail That Still Has No Owner

Microsoft, in its statement, did not attribute the exploitation campaign related to CVE-2026-42897 to a specific actor. CISA and the UK's NCSC also did not issue any attribution alert by the time of this report. The silence suggests that the investigation is ongoing and that the agencies prefer not to compromise the collection before the patch is deployed widely. For the detection team, it is worth considering a more costly hypothesis: the exploit is already packaged in commercial offensive security frameworks and will appear in opportunistic campaigns over the next ten days.