Critical SAP vulnerability patched months ago now on US exploited bug list

A critical SAP vulnerability that was patched in February has been added to a U.S. government cyber agency’s list of exploited security bugs after being discussed last week at security conferences, leading to the possibility the hole is currently being exploited.

Security Week reports that the vulnerability, CVE-2022-22536, was added this week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities Catalog.

The catalog is a list of security holes that have been exploited in the wild that must be remediated by U.S. federal departments. The private sector is also urged to review and monitor the catalog and prioritize remediation of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors.

The listing now of CVE-2022-22536, coming right after researchers from Onapsis talked about it and another critical SAP vulnerability, CVE-2022-22532, at the Black Hat and DefCon conference last week, raises the possibility that the CISA has learned hackers are trying to exploit the pair of holes after learning of them at the conference.

Onapsis says the two vulnerabilities can be exploited together. “Both CVE-2022-22536 and CVE-2022-22532 were remotely exploitable and could be used by unauthenticated attackers to completely compromise any SAP installation on the planet,” unless systems are patched, the report says.

CVE-2022-22536 is a memory corruption vulnerability in NetWeaver Application Server ABAP, NetWeaver Application Server Java, ABAP Platform, Content Server 7.53 and Web Dispatcher. According to the U.S. National Institute of Standards and Technology (NIST), the hole makes them vulnerable to request smuggling and request concatenation. An unauthenticated attacker can prepend a victim’s request with arbitrary data, says a synopsis. “This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system,” NIST says.

The other vulnerability, CVE-2022-22532, is also a memory corruption issue that affects certain versions of NetWeaver Application Server Java. NIST says it can be exploited by an unauthenticated attacker who submits a crafted HTTP server request which triggers improper shared memory buffer handling. This could allow the malicious payload to be executed and perform functions that could impersonate the victim or even steal the victim’s logon session.

The two vulnerabilities have been broadly known since February and therefore should have been addressed by now by SAP administrators. Arctic Wolf was among the security vendors issuing warnings in February about them.

Its report described CVE-2022-22536 as a critical memory corruption vulnerability in the SAP Internet Communication Manager (ICM) component of a number of products that could lead to full system takeover without authentication or user interaction.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.