WEBINAR: The Return of the ICMAD from this Patch Tuesday

Onapsis and SAP Partner to Discover and Patch Critical ICMAD Vulnerabilities

New critical vulnerabilities in SAP Internet Communication Manager require immediate attention

Download threat report Watch the Webinar


On Thursday, August 18th, the US Cybersecurity and Infrastructure Security Agency (CISA) added a critical SAP vulnerability–CVE-2022-22536–to its Known Exploited Vulnerabilities Catalog. Though this vulnerability was discovered earlier this year as part of joint research between Onapsis Research Labs and SAP Product Security Response Team (PSRT), this validation from CISA shows that organizations should prioritize action immediately.

Given the criticality of these vulnerabilities, Onapsis would like to ensure that every SAP customer can check to see if they are exposed — and take steps to protect their business-critical SAP applications. 

Scan Your Systems

The Onapsis Research Labs and SAP Product Security Response Team (PSRT) collaborated to discover and patch three critical vulnerabilities that affected Internet Communication Manager (ICM), a core component of SAP business applications. This discovery will require immediate attention by most SAP customers given the widespread usage of the vulnerable technology component in SAP landscapes around the world.

The individual ICMAD vulnerabilities are identified as CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533 — the first of which received the highest possible risk score, a 10 out of 10, while the other two received scores of 8.1 and 7.5, respectively. As a result, the U.S. Department of Homeland Security’s CISA has issued a Current Activity Alert.

Both SAP and Onapsis advise impacted organizations to prioritize applying the Security Notes 3123396 and 3123427 to their affected SAP applications immediately. If exploited, these vulnerabilities, dubbed ICMAD (Internet Communication Manager Advanced Desync), enable attackers to execute serious malicious activities on SAP users, business information, and processes — and ultimately compromise unpatched SAP applications.

What Are the ICMAD SAP Vulnerabilities?

The ICMAD vulnerabilities are particularly critical because the issues exist by default in the SAP Internet Communication Manager (ICM). The ICM is one of the most important components of an SAP NetWeaver application server: It is present in most SAP products and is a critical part of the overall SAP technology stack, connecting SAP applications with the Internet. 

Malicious actors can easily leverage the most critical vulnerability (CVSSv3 10.0) in unprotected systems; the exploit is simple, requires no previous authentication, no preconditions are necessary, and the payload can be sent through HTTP(S), the most widely used network service to access SAP applications.


CERT Alerts

As a result of the potential threats associated with the ICMAD vulnerabilities, numerous global organizations have issued alerts.

Click on the logos to see each alert.


Threat Report: Who Is at Risk and How To Protect Your Business-Critical SAP Applications

Onapsis Research Labs’ thorough investigation of HTTP Response Smuggling over the last year led to the recent identification of the ICMAD vulnerabilities. Read the full threat report to understand:

  • What the three ICMAD vulnerabilities are
  • The potential business impact of exploitation
  • Recommendations to protect your business-critical SAP systems 
  • New research into HTTP Response Smuggling techniques

Executive Briefing: Mitigating the ICMAD SAP Vulnerabilities


Richard Puckett, CISO of SAP, and Mariano Nuñez, CEO and Co-founder of Onapsis discuss how the Onapsis Research Labs and SAP Product Security Response Team worked in close partnership to identify, assess, and patch critical ICMAD vulnerabilities — and what you need to do to mitigate the risk to your SAP applications. Watch this session to learn:

  • Details about the three zero-day vulnerabilities 
  • The potential business impact of of the ICMAD vulnerabilities
  • Recommendations for mitigation to keep your SAP systems protected



“What makes these vulnerabilities particularly critical for SAP customers is the fact that the issues are present by default in the ICM component.” 

— Onapsis Research Labs

Frequently Asked Questions

Both SAP and Onapsis advise impacted organizations to prioritize applying the patches for Security Notes 3123396 and 3123427 to their affected SAP applications immediately.

For all SAP customers not currently using The Onapsis Platform, use our open-source tool to scan your system for vulnerabilities or schedule a complimentary 1:1 security briefing with an Onapsis expert to assess your potential exposure.

The Onapsis Platform includes vulnerability assessment capabilities, detection rules, and alarms to continuously monitor malicious activity targeting these specific vulnerabilities as well as thousands of others. With the first release of February 2022 (2.2022.021), all Onapsis customers with Onapsis Assess and/or Onapsis Defend have the capabilities to protect their organizations against these critical issues.

If you have any questions, please do not hesitate to reach out to your Onapsis representative.