Exploring ICMAD Vulnerabilities
Onapsis partners with SAP to swiftly detect and address critical ICMAD vulnerabilities, ensuring the protection of your vital systems. These newly identified security risks within SAP’s Internet Communication Manager demand immediate attention and decisive action.
Breaking News
On Thursday, August 18th, the US Cybersecurity and Infrastructure Security Agency (CISA) added a critical SAP vulnerability–CVE-2022-22536–to its Known Exploited Vulnerabilities Catalog. Though this vulnerability was discovered earlier this year as part of joint research between Onapsis Research Labs and the SAP Product Security Response Team (PSRT), this validation from CISA shows that organizations should prioritize action immediately.If you’re ready to secure your ERP, visit our resource center:
Learn More
Onapsis and SAP Collaborate for Swift Action and Protection
Given the criticality of these vulnerabilities, Onapsis would like to ensure that every SAP customer can check to see if they are exposed — and take steps to protect their business-critical SAP applications.
Scan Your Systems
The Onapsis Research Labs and SAP Product Security Response Team (PSRT) collaborated to discover and patch three critical vulnerabilities that affected the Internet Communication Manager (ICM), a core component of SAP business applications. Given the widespread usage of the vulnerable technology component in SAP landscapes worldwide, this discovery will require immediate attention by most SAP customers.
The individual ICMAD vulnerabilities are identified as CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533 — the first of which received the highest possible risk score, a 10 out of 10, while the other two received scores of 8.1 and 7.5, respectively. As a result, the U.S. Department of Homeland Security’s CISA has issued a Current Activity Alert.
Both SAP and Onapsis advise impacted organizations to immediately prioritize applying the Security Notes 3123396 and 3123427 to their affected SAP applications. If exploited, these vulnerabilities, dubbed ICMAD (Internet Communication Manager Advanced Desync), enable attackers to execute serious malicious activities on SAP users, business information, and processes, ultimately compromising unpatched SAP applications.
What Are the ICMAD SAP Vulnerabilities?
The ICMAD vulnerabilities are particularly critical because the issues exist by default in the SAP Internet Communication Manager (ICM). The ICM is one of the most important components of an SAP NetWeaver application server. It is present in most SAP products and is a critical part of the overall SAP technology stack, connecting SAP applications with the Internet.
Malicious actors can easily leverage the most critical vulnerability (CVSSv3 10.0) in unprotected systems; the exploit is simple and requires no previous authentication or preconditions, while the payload may be sent through HTTP(S), the most widely used network service to access SAP applications.
Global Cert Alerts
Numerous global organizations have issued alerts due to the potential threats associated with ICMAD vulnerabilities.
Click on the logos to see each alert.
Threat Report: Who Is at Risk and How To Protect Your Business-Critical SAP Applications
Onapsis Research Labs’ thorough investigation of HTTP Response Smuggling over the last year led to the recent identification of the ICMAD vulnerabilities. Read the full threat report to understand:
“What makes these vulnerabilities particularly critical for SAP customers is the fact that the issues are present by default in the ICM component.”
— Onapsis Research Labs