Security Experts:

Connect with us

Hi, what are you looking for?



SAP Customers Warned About Critical ‘ICMAD’ Vulnerabilities

As part of its February 2022 Security Patch Day, German software maker SAP has announced the release of 13 new security notes and updates for five other security notes.

As part of its February 2022 Security Patch Day, German software maker SAP has announced the release of 13 new security notes and updates for five other security notes.

The company also released an out-of-band note, for a total of 19 security notes, to which three other notes that were released or updated since the second Tuesday of January should be added.

Eight of the 22 security notes were rated ‘Hot News’ – the highest rating in the company’s books –, a record number for the company. However, four of these are updates for previously released security notes.

Three of the newly released Hot News security notes have a CVSS score of 10, while the fourth has a CVSS score of 9.1. All of the updated Hot News notes have a CVSS score of 10.

The most important of these vulnerabilities is CVE-2022-22536, a request smuggling and request concatenation issue in NetWeaver, Content Server and Web Dispatches that could be abused to compromise any NetWeaver-based Java or ABAP application running the default configuration.

The vulnerability can be exploited with a single request delivered through the commonly exposed HTTP(S) service, without authentication, business application security firm Onapsis explains. An attacker could steal the victim’s session and credentials in plain text.

Onapsis warns that CVE-2022-22536 can be exploited in combination with a high-severity HTTP request smuggling vulnerability (CVE-2022-22532) to compromise NetWeaver Java systems.

These and a vulnerability tracked as CVE-2022-22533 are collectively tracked as ICMAD because they reside in the Internet Communication Manager (ICM) component, which is used by many SAP applications.

“CVE-2022-22536 is exploitable when an HTTP(S) proxy is sitting in between clients and the backend SAP system, which is the most common scenario for HTTP(S) access in any productive landscape. The Onapsis Research Labs validated that attackers could also exploit CVE-2022-22532 […] in the absence of a proxy. The combination of both vulnerabilities makes it possible to compromise SAP NetWeaver Java systems regardless of the use of proxies.” Onapsis says.

[READ: SAP Patches Log4Shell Vulnerability in More Applications]

The security company also warns of challenges associated with detecting attacks targeting ICMAD – as malicious requests are difficult to differentiate from benign requests – and underlines that successful exploitation leads to complete system takeover and does not require previous authentication.

By exploiting these vulnerabilities, attackers can steal user credentials and personal information, exfiltrate sensitive information, perform fraudulent financial transactions, disrupt critical systems and cause denial of service conditions, or change banking details in a financial system of record, Onapsis explains.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations to apply the patches for the ICMAD flaws as soon as possible.

Two other Hot News security notes address remote code execution issues related to the use of Apache Log4j in SAP Commerce and Data Intelligence 3 (on-premise), respectively.

The last of this month’s Hot News security notes addresses a missing segregation of duties in Solution Manager Diagnostics Root Cause Analysis Tools (CVE-2022-22544, CVSS score of 9.1) that could allow an attacker with admin privileges to browse files and execute code on all Diagnostics Agents over the network, Onapsis explains.

Three of the updated Hot News security notes also deal with Log4j vulnerabilities, while the fourth brings Chromium release 97.0.4692.99 to SAP Business Client.

SAP also patched an SQL injection flaw in NetWeaver AS ABAP (Workplace Server) that could allow an attacker to execute crafted database queries, and updated a security note dealing with two vulnerabilities in the F0743 Create Single Payment application of S/4HANA.

Six medium-severity bugs were addressed this month in NetWeaver, ERP HCM, Business Objects Web Intelligence (BI Launchpad), 3D Visual Enterprise Viewer, Adaptive Server Enterprise, and S/4HANA. SAP also patched a low-severity denial of service in NetWeaver Application Server for ABAP and ABAP Platform.

Related: SAP Patches Log4Shell Vulnerability in 20 Applications

Related: Critical SAP Vulnerability Allows Supply Chain Attacks

Related: SAP Patches Critical Vulnerability in ABAP Platform Kernel

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet