Security News > 2022 > February > CISA warns admins to patch maximum severity SAP vulnerability

The US Cybersecurity and Infrastructure Security Agency has warned admins to patch a set of severe security flaws dubbed ICMAD and impacting SAP business apps using Internet Communication Manager.

Yesterday, Onapsis Research Labs who found and reported CVE-2022-22536, one of the three ICMAD bugs and the one rated as a maximum severity issue, also cautioned SAP customers to patch them immediately.

If successfully exploited, the ICMAD bugs allow attackers to target SAP users, business information, and processes, and steal credentials, trigger denials of service, execute code remotely and, ultimately, fully compromise any unpatched SAP applications.

"The ICM is one of the most important components of an SAP NetWeaver application server: It is present in most SAP products and is a critical part of the overall SAP technology stack, connecting SAP applications with the Internet," Onapsis explained.

"Malicious actors can easily leverage the most critical vulnerability in unprotected systems; the exploit is simple, requires no previous authentication, no preconditions are necessary, and the payload can be sent through HTTP(S), the most widely used network service to access SAP applications."

The German business software developer also patched other maximum severity vulnerabilities associated with the Apache Log4j 2 component used in SAP Commerce, SAP Data Intelligence 3, SAP Dynamic Authorization Management, Internet of Things Edge Platform, SAP Customer Checkout.

News URL

https://www.bleepingcomputer.com/news/security/cisa-warns-admins-to-patch-maximum-severity-sap-vulnerability/