Onapsis and SAP partnered on the discovery and mitigation of a set of three vulnerabilities affecting the SAP Internet Communication Manager (ICM) component in SAP business-critical applications. The ICMAD vulnerabilities require immediate attention by most SAP customers. One of the vulnerabilities, CVE-2022-22536, received the highest possible risk score, a 10 out of 10. As a result, CISA has issued a Current Activity Alert. If exploited, these vulnerabilities enable attackers to execute serious malicious activities on SAP users, business information, and processes — and ultimately compromise unpatched SAP applications.