Dive Brief:
- Threat actors are again targeting a critical vulnerability in SAP Internet Communication Manager six months after security patches were released, according to researchers from Onapsis Research Labs.
- The vulnerability, assigned CVE-2022-22536 with a critical CVSS score of 10, was the most severe in a series found during research into a technique called HTTP response smuggling. The vulnerabilities allow an attacker to gain control of a compromised system and engage in a range of attacks, including theft of sensitive data, ransomware and disruption of mission critical functions.
- The Cybersecurity and Infrastructure Security Agency on Aug. 18 added the vulnerability to its Known Exploited Vulnerabilities Catalog.
Dive Insight:
Onapsis Researchers, two weeks after presenting an update on the vulnerabilities at Black Hat USA, said they observed a sudden uptick in threat activity targeting the SAP ICMAD vulnerabilities and urged organizations to immediately apply the patch.
The Black Hat presentation included a demonstration as to how to leverage two memory corruption vulnerabilities found in SAP’s proprietary HTTP Server, according to an Onapsis spokesperson. The vulnerabilities, CVE-2022-22536 and CVE-2022-22532, could be exploited remotely and allow an attacker to compromise an SAP installation anywhere.
SAP is used by about 400,000 companies around the world, including about 90% of the Fortune 500.
“The threat remains high due to the criticality of the vulnerability, how widespread the affected protocol is and the initial exposure to the internet,” JP Perez-Etchegoyen, CTO at Onapsis, said via email.
“As a global leader in business software, SAP prioritizes the security of our customers’ data and operates a comprehensive security strategy across the enterprise to ensure secure and reliable software solutions,” SAP said in an emailed statement.
The company said it released a patch for CVE-2022-22536 back in February and recommends customers apply the patch “with immediate effect.”