In February 2022, Onapsis Research Labs disclosed a set of critical vulnerabilities in SAP's Internet Communication Manager (ICM), collectively dubbed ICMAD. The most severe, CVE-2022-22536, received a perfect CVSS score of 10.0. These vulnerabilities allowed unauthenticated attackers to perform HTTP request smuggling attacks against SAP applications, potentially leading to complete system compromise. Given that SAP systems process 77% of the world's transactional revenue, the stakes were enormous.
What Is the SAP Internet Communication Manager?
The ICM is the HTTP/HTTPS request handler for SAP NetWeaver Application Server. It's the component that processes all web-based communication for SAP applications — SAP Fiori, SAP Gateway, SAP Portal, and all web-based SAP transactions. Every SAP system exposed to the web uses ICM to handle incoming requests.
ICM sits at the boundary between the internet and SAP's application logic. It handles TLS termination, HTTP parsing, session management, and request routing. A vulnerability in ICM affects every SAP application served through it.
The ICMAD Vulnerabilities
Three vulnerabilities were disclosed under the ICMAD umbrella:
CVE-2022-22536 (CVSS 10.0): HTTP request smuggling/desynchronization in ICM. An unauthenticated attacker can prepend arbitrary data to HTTP requests processed by SAP, effectively controlling requests that other users send. This can be used to hijack sessions, steal credentials, and execute arbitrary SAP transactions as any user.
CVE-2022-22532 (CVSS 8.1): HTTP request smuggling via a separate parsing inconsistency in ICM. This allows similar request manipulation attacks but requires slightly different conditions.
CVE-2022-22533 (CVSS 7.5): A memory corruption vulnerability in ICM that can be triggered remotely, leading to denial of service or potentially code execution.
HTTP Request Smuggling Explained
HTTP request smuggling exploits differences in how front-end and back-end servers parse HTTP requests. When a proxy (or in this case, ICM) and a back-end application disagree on where one request ends and the next begins, an attacker can "smuggle" a malicious request that gets appended to a legitimate user's next request.
In the SAP context, this is devastating:
- Attacker sends a specially crafted HTTP request to the SAP server
- ICM misparses the request boundaries
- The attacker's payload is prepended to the next legitimate request from any user
- The legitimate user's session and credentials are applied to the attacker's smuggled request
- The attacker's SAP transaction executes with the victim's permissions
If the victim happens to be an SAP administrator, the attacker gains full administrative access to the SAP system. The attacker doesn't need any credentials at all — they hijack a legitimate session through request manipulation.
The Business Impact
SAP systems are not ordinary applications. They run:
- Financial accounting — general ledger, accounts payable/receivable, asset management
- Human resources — payroll, employee records, benefits administration
- Supply chain management — procurement, inventory, manufacturing
- Customer relationship management — sales, service, marketing
Compromising an SAP system can mean accessing payroll data for tens of thousands of employees, manipulating financial transactions, redirecting payments, exfiltrating customer data, or altering supply chain operations. For publicly traded companies, unauthorized access to SAP financial data could constitute material non-public information.
CISA immediately added CVE-2022-22536 to its Known Exploited Vulnerabilities catalog and urged organizations to patch immediately.
Why SAP Patching Is Different
SAP patching isn't like updating a web server or applying a Windows security update. SAP systems are complex, highly customized enterprise applications. Applying patches requires:
Extensive testing: Organizations typically have custom ABAP code, third-party integrations, and business-specific configurations that can break with any patch. Testing a SAP kernel update can take weeks.
Change management: SAP systems often process financial transactions subject to SOX compliance. Changes require formal approval processes, documented testing, and audit trails.
Downtime planning: Applying ICM patches often requires restarting the SAP kernel, which means planned downtime for critical business applications.
Limited patching windows: Many organizations only patch SAP systems quarterly, creating extended windows of vulnerability between disclosure and remediation.
This meant that even after SAP released patches for ICMAD in February 2022, many organizations wouldn't apply them for weeks or months. Some likely still haven't.
The Onapsis Research
Onapsis, the security firm that discovered the ICMAD vulnerabilities, estimated that approximately 40,000 SAP customers were potentially affected. Their research showed that:
- The vulnerability could be exploited through SAP Web Dispatcher, SAP Content Server, and SAP NetWeaver ABAP and Java stacks
- Default SAP configurations were vulnerable — no special configuration was required
- The attack left minimal forensic traces, making detection difficult
- Exploitation didn't require any SAP-specific knowledge — standard HTTP request smuggling techniques worked
Onapsis also worked with SAP to develop detection rules and provided a free scanning tool to help organizations assess their exposure.
The Broader SAP Security Challenge
ICMAD highlighted a persistent challenge in enterprise software security: the most business-critical applications often have the weakest security posture.
SAP security is a niche specialty. Most security teams don't have SAP-specific expertise. They can't assess SAP configurations, audit ABAP code, or evaluate the impact of SAP-specific vulnerabilities. This creates a blind spot where critical vulnerabilities go unaddressed.
SAP systems accumulate technical debt. Many organizations run SAP configurations that haven't been reviewed in years. Custom code from decades ago may contain vulnerabilities that have never been assessed. Default settings persist because changing them is risky.
Internet exposure is growing. SAP Fiori, SAP Gateway, and other web-based interfaces are increasingly exposed to the internet for mobile access, partner integration, and remote work. The attack surface for SAP systems has grown dramatically while security practices haven't kept pace.
Remediation Guidance
1. Apply SAP Security Notes Immediately
SAP Security Note 3123396 addresses CVE-2022-22536. Given the CVSS 10.0 rating and the availability of exploitation techniques, this should bypass normal change management timelines. Emergency patching is warranted.
2. Implement Web Application Firewall Rules
While waiting for patches, WAF rules can detect and block HTTP request smuggling patterns. This provides a defense-in-depth layer even after patching.
3. Reduce Internet Exposure
Audit which SAP services are internet-facing and reduce exposure to the minimum required. Use VPN or zero-trust network access for remote SAP access rather than direct internet exposure.
4. Monitor SAP Transaction Logs
Watch for unusual SAP transaction patterns that might indicate session hijacking — administrative transactions from unexpected users, bulk data exports, or configuration changes outside maintenance windows.
How Safeguard.sh Helps
Safeguard.sh addresses the unique security challenges of enterprise applications like SAP:
- Enterprise Software Vulnerability Tracking: Safeguard.sh monitors CVEs affecting enterprise platforms like SAP, Oracle, and others, correlating them against your actual deployments.
- Patch Gap Visibility: Safeguard.sh identifies the gap between available patches and applied versions, highlighting high-risk systems like internet-facing SAP servers that are behind on critical updates.
- Risk Prioritization: With CVSS 10.0 vulnerabilities, every hour matters. Safeguard.sh prioritizes remediation based on severity, exploitability, and business impact, ensuring the most critical issues are addressed first.
- Compliance Tracking: For organizations subject to SOX, PCI-DSS, or other regulations, Safeguard.sh provides audit-ready evidence of vulnerability management and patching activities.
CVE-2022-22536 showed that the most business-critical software can harbor the most dangerous vulnerabilities. Safeguard.sh ensures these systems receive the security attention they demand.