Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

SAP Vulnerability Exploited in Attacks After Details Disclosed at Hacker Conferences

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical SAP vulnerability to its Known Exploited Vulnerabilities Catalog less than one week after its details were disclosed at the Black Hat and Def Con hacker conferences.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical SAP vulnerability to its Known Exploited Vulnerabilities Catalog less than one week after its details were disclosed at the Black Hat and Def Con hacker conferences.

CISA added seven vulnerabilities to its catalog on Thursday and instructed federal agencies to address them by September 8. For several of the newly added security holes, there do not appear to be any public reports describing exploitation in the wild, but the cybersecurity agency clarified in the past that it only adds CVEs to its catalog if it has reliable information about malicious exploitation.

The SAP vulnerability added to CISA’s list, tracked as CVE-2022-22536, was patched by the vendor in February in NetWeaver Application Server ABAP, NetWeaver Application Server Java, ABAP Platform, Content Server 7.53 and Web Dispatcher.

Onapsis, a company that specializes in protecting business-critical applications, warned at the time that CVE-2022-22536 and CVE-2022-22532 could be exploited together, but for the time being there is no mention of CVE-2022-22532 also being exploited.

The two memory corruption vulnerabilities were detailed by Onapsis researcher Martin Doyhenard on August 10 at the Black Hat conference and on August 13 at the Def Con conference in a presentation focusing on exploiting inter-process communication in SAP’s HTTP server. Onapsis also released an 18-page paper detailing its findings.

“Both, CVE-2022-22536 and CVE-2022-22532, were remotely exploitable and could be used by unauthenticated attackers to completely compromise any SAP installation on the planet,” Doyhenard wrote in the research paper.

There does not appear to be any public information describing the attacks exploiting CVE-2022-22536, but CISA warned in February that exploitation could lead to theft of sensitive data, financial fraud, disruption of mission-critical business processes, or ransomware deployment.

“We have seen an increase in the threat activity, particularly related to CVE-2022-22536, over the past few days, and while we continue working on it, it is too early to make any assessment about attribution. Exploitation of this vulnerability is valuable to attackers because it can be used to steal user sessions, ultimately compromising any business application,” JP Perez-Etchegoyen, CTO of Onapsis, told SecurityWeek.

“Onapsis coordinated with SAP, CISA, and other CERT(s) so all SAP customers had the necessary information to understand and manage this critical risk, even releasing an open-source scanner to automatically assess if systems were vulnerable. This underlines the need to continually assess SAP systems for vulnerabilities with real-time threat intelligence,” he added.

CISA also added to its Known Exploited Vulnerabilities Catalog two flaws affecting Microsoft products for which there do not appear to be any public reports describing exploitation in the wild.

One of them, CVE-2022-21971, is a Windows remote code execution vulnerability that Microsoft patched in February. Microsoft’s advisory currently says it has not been exploited or publicly disclosed and assigns it an exploitability rating of ‘exploitation less likely’. However, a proof-of-concept (PoC) exploit has been available since at least March.

The second Microsoft vulnerability, CVE-2022-26923, is a privilege escalation issue affecting Active Directory Domain Services. Microsoft released a patch in May and PoC exploits were made available days later.

CISA has also added to its ‘must patch’ list the two iOS and macOS vulnerabilities addressed by Apple this week, a Chrome flaw fixed by Google this week, and a 2017 vulnerability affecting Palo Alto Networks appliances (CVE-2017-15944).

*updated with information from Onapsis

Related: Scanning Activity Detected After Release of Exploit for Critical SAP SolMan Flaw

Related: CISA Says Recent Cisco Router Vulnerabilities Exploited in Attacks

Related: CISA Says ‘HiveNightmare’ Windows Vulnerability Exploited in Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.