CVE-2022-22536 - [KEV] - CVSS 10.0

Overview

CVE-2022-22536 is a critical HTTP request smuggling vulnerability (CVSS 10.0) affecting multiple SAP products, including SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server, and SAP Web Dispatcher. The flaw stems from inconsistent handling of HTTP request boundaries between front-end proxies and back-end SAP application servers. An unauthenticated remote attacker can craft malformed HTTP requests that are interpreted differently by intermediary components, allowing the attacker to prepend arbitrary content to a legitimate victim's subsequent request.

Successful exploitation enables full-context request hijacking: the attacker can execute functions while impersonating an authenticated victim, hijack sessions, steal credentials in transit, bypass authentication controls, and poison shared web caches to deliver malicious content to other users. The vulnerability was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on 2022-08-18, and the current EPSS score of 0.938 indicates a very high probability of in-the-wild exploitation activity.

Affected Products

• SAP NetWeaver Application Server ABAP
• SAP NetWeaver Application Server Java
• SAP ABAP Platform
• SAP Content Server
• SAP Web Dispatcher

Because SAP Web Dispatcher is commonly deployed as the public-facing reverse proxy for SAP landscapes, vulnerable installations are frequently directly exposed to the internet, amplifying exposure across enterprise environments.

Exploitation Evidence

• Public Exploit: A working proof-of-concept titled "SAP NetWeaver - 7.53 - HTTP Request Smuggling" has been published on Exploit-DB, lowering the barrier for opportunistic and targeted attackers.
• CISA KEV Listing: Added to the Known Exploited Vulnerabilities catalog on 2022-08-18, confirming active exploitation against U.S. federal and private-sector targets.
• EPSS 0.938: Indicates that the vulnerability is among the top tier most likely to be exploited in the wild within the near term.
• The vulnerability was originally disclosed under the moniker "ICMAD" (Internet Communication Manager Advanced Desync) by Onapsis Research Labs, who publicly demonstrated end-to-end impersonation and cache poisoning chains against unpatched SAP systems.

ATT&CK Mapping

No formal ATT&CK mappings are present in the source database. Based on the technical nature of the flaw, the following techniques are analytically relevant:

• T1190 – Exploit Public-Facing Application: Direct exploitation of internet-exposed SAP Web Dispatcher or NetWeaver instances.
• T1185 – Browser Session Hijacking / Adversary-in-the-Middle: Hijacking authenticated user requests via smuggled prefixes.
• T1557 – Adversary-in-the-Middle: Interception and manipulation of traffic flowing between users and SAP back-ends.
• T1606 – Forge Web Credentials: Theft and reuse of session tokens or cookies exposed via smuggled requests.
• T1212 – Exploitation for Credential Access: Capturing credentials submitted by impersonated victims.

Threat Actor Context

No specific threat actor attribution is recorded in the source database for this CVE. However, SAP systems are routine targets for financially motivated intrusion sets and state-aligned operators interested in ERP data, financial records, and intellectual property. Given the inclusion in CISA KEV and the availability of public exploit code, both opportunistic mass scanning and targeted exploitation should be assumed. Organizations should treat any exposed and unpatched SAP front-end as a high-probability intrusion vector.

Recommended Actions

• Apply SAP Security Notes 3123396 and 3123427 immediately to all affected NetWeaver, ABAP Platform, Content Server, and Web Dispatcher instances. These are the vendor-issued fixes for the ICMAD vulnerability set, of which CVE-2022-22536 is the most severe.
• Inventory all SAP front-ends, particularly SAP Web Dispatcher and Internet Communication Manager (ICM) components, including those behind load balancers and CDNs, and verify patch level against SAP Note 3123396.
• Remove direct internet exposure of SAP application servers where business requirements do not strictly demand it; place behind VPN or zero-trust access proxies.
• Run the Onapsis open-source scanner (released in coordination with CISA) to detect vulnerable systems and indicators of prior exploitation.
• Review web cache and reverse proxy configurations for evidence of cache poisoning; consider flushing shared caches after patching.
• Hunt for indicators of exploitation in ICM and Web Dispatcher logs: malformed Content-Length/Transfer-Encoding headers, unusually large or pipelined requests, and unexpected response/request correlation anomalies.
• Rotate session tokens, SSO artifacts, and high-privilege SAP credentials on systems that were exposed prior to patching, as impersonation may have occurred without leaving conventional authentication-failure traces.
• Deploy WAF or reverse-proxy rules to normalize or reject ambiguous HTTP requests containing both Content-Length and Transfer-Encoding headers, or invalid chunk encoding, as a compensating control.