Finding SAP NetWeaver instances vulnerable to ICMAD

, by Pearce Barry

A set of recently patched SAP vulnerabilities has been surfaced by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), with their recommendation to patch as soon as possible. Discovered and disclosed by security researchers at Onapsis, these three vulnerabilities are referred to as ICMAD and affect SAP applications which utilize the SAP Internet Communication Manager (ICM).

Which SAP NetWeaver versions are affected?

Some versions of SAP NetWeaver contain all three of these ICMAD vulnerabilities:

  • CVE-2022-22536 (CVSS “critical” score of 10.0) - vulnerable to request smuggling and request concatenation, successful exploitation by an unauthenticated attacker resulting in code execution, victim impersonation, data exfiltration, denial of service, and more. In addition to NetWeaver, some versions of SAP Web Dispatcher and SAP Content Server also contain this vulnerability.
  • CVE-2022-22532 (CVSS “high” score of 8.1) - vulnerability in shared memory handling, successful exploitation by an unauthenticated attacker resulting in code execution, victim impersonation, or taking over the victim’s logon session.
  • CVE-2022-22533 (CVSS “low” score of 3.7) - vulnerability in error handling which could result in a denial of service attack by exhausting available memory, leading to system shutdown.

Is a security patch available?

Yes. SAP made patched software available earlier this week. While there currently are no known customer breaches related to exploitation of the ICMAD vulnerabilities, SAP does strongly recommend that admins update to the latest available versions as soon as possible.

How do I find potentially vulnerable SAP NetWeaver instances with Rumble?

From the Asset Inventory, use the following pre-built query to locate SAP NetWeaver assets within your network that are potentially vulnerable:

Find SAP instances

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.

Try Rumble

Don’t have Rumble and need help finding potentially vulnerable SAP instances? Start your Rumble trial today.

Similar Content

May 12, 2022

Wrangling the May 2022 Patch Tuesday

Microsoft recently released security updates for over 70 vulnerabilities, including 3 zero-days and 7 critical vulnerabilities that affect a wide-range of their products and services. The list of patches covers an actively exploited zero-day vulnerability in the Windows …

Read More

May 5, 2022

Finding F5 BIG-IP instances

Technology vendor F5 recently published information on over 40 vulnerabilities, mostly affecting their BIG-IP line of products. While these vulnerabilities include a mix of types and severities, a particular authentication bypass vulnerability that can affect all BIG-IP …

Read More

April 29, 2022

Finding Netatalk instances

A critical vulnerability in the Netatalk open source file server software was found in some popular network attached storage (NAS) devices. Netatalk provides services for the deprecated AFP (Apple Filing Protocol, formerly known as Appletalk Filing Protocol), and runs on a …

Read More