CVE-2022-22536

What is SAP NetWeaver?

SAP NetWeaver is the foundational middleware platform underlying SAP ERP, S/4HANA, CRM, SRM, SCM, and virtually every other SAP enterprise application. The Internet Communication Manager (ICM) is the HTTP/HTTPS server built into NetWeaver — it handles all inbound web traffic to SAP systems and acts as a web dispatcher, reverse proxy, and application gateway. SAP systems are deployed in thousands of enterprises worldwide managing finance, HR, supply chain, and manufacturing operations.

Overview

CVE-2022-22536 is a critical HTTP request smuggling vulnerability (CWE-444) in the SAP Internet Communication Manager, branded "ICMAD" (Internet Communication Manager Advanced Desync) by Onapsis, the research firm that discovered it. CVSS score of 10.0. An unauthenticated attacker can send specially crafted HTTP requests that the ICM interprets ambiguously, allowing them to prepend malicious content to legitimate user requests — enabling session hijacking, credential theft, and remote code execution without any valid SAP credentials. CISA and Onapsis published a joint advisory on the day of the patch release, calling it one of the most critical SAP vulnerabilities ever found.

Affected Versions

Technical Details

HTTP request smuggling (CWE-444) exploits inconsistencies in how different HTTP processors (a front-end proxy and a back-end server) parse the same HTTP request, particularly around Content-Length and Transfer-Encoding headers. The SAP ICM has a specific parsing flaw where certain header combinations cause it to process HTTP boundaries differently than downstream components.

An attacker crafts an HTTP request with ambiguous length headers that causes SAP's ICM to believe a request has ended at a different point than the back-end application server does. This "desync" allows the attacker to:

1. Prepend arbitrary data to the next user's request — effectively adding malicious parameters or payloads to a legitimate authenticated user's transaction
2. Steal session tokens — the smuggled prefix is prepended to a victim's authenticated request, and the attacker receives the session cookie in an error response
3. Execute arbitrary RFC-based functions — with a stolen session or by directly invoking SAP function modules via smuggled requests
4. Cache poisoning — if a SAP Web Dispatcher or CDN is in the path, poison cached responses served to all users

The attack requires no authentication and can be performed with a single TCP connection to the SAP ICM port (usually 443 or 8000).

Discovery

Discovered by researchers at Onapsis Research Labs. Onapsis coordinated disclosure with SAP and CISA, resulting in a synchronized patch, CISA alert, and Onapsis technical blog post all published on the same day — February 8, 2022.

Exploitation Context

SAP systems are among the most valuable enterprise targets: they contain financial records, payroll data, supply chain information, and manufacturing controls. SAP's own market data suggests 92% of the Forbes Global 2000 run SAP software.

The joint CISA/Onapsis advisory noted that threat actors were already targeting SAP vulnerabilities opportunistically and that this vulnerability's CVSS 10.0 score and internet-exposed ICM interfaces made it an immediate priority. SAP Security Patch Days release patches once monthly, meaning organizations that miss a cycle remain exposed for weeks.

The CISA KEV addition came 6 months after the patch, indicating active exploitation in the wild was confirmed against organizations that had not applied the February 2022 patch.

Remediation

1. Apply SAP Security Note 3123396: This is the primary patch; requires a valid SAP support account. Apply during the next scheduled maintenance window — treat as emergency given CVSS 10.
2. Apply all outstanding SAP patches: Use SAP's System Recommendations (transaction SOLMAN_SETUP) to identify all missing security notes.
3. Restrict ICM access: Use SAP's ACL functionality (transaction SMICM) to restrict HTTP access to trusted IP ranges where internet exposure is not required.
4. Enable SAP Web Dispatcher: If not already using SAP Web Dispatcher as a reverse proxy front-end, deploy it to add an HTTP validation layer.
5. Monitor SAP application logs: Enable and review HTTP access logs in the ICM (transaction SMICM > Goto > Trace File) for anomalous request patterns.
6. Engage SAP Basis team: SAP patching requires specialized Basis expertise — ensure your SAP Basis administrators are aware of and prioritize this patch cycle.