Critical Vulnerabilities Affecting SAP Applications Employing Internet Communication Manager (ICM)
On February 8, 2022, SAP released security updates to address vulnerabilities affecting multiple products, including critical vulnerabilities affecting SAP applications using SAP Internet Communication Manager (ICM). SAP applications help organizations manage critical business processes—such as enterprise resource planning, product lifecycle management, customer relationship management, and supply chain management. Impacted organizations could experience:
- theft of sensitive data,
- financial fraud,
- disruption of mission-critical business processes,
- ransomware, and
- halt of all operations.
Additionally, security researchers from Onapsis, in coordination with SAP, released a Threat Report describing SAP ICM critical vulnerabilities, CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533. Onapsis also provides an open source tool to identify if a system is vulnerable and needs to be patched.
CISA recommends operators of SAP systems review SAP’s February 2022 Security Updates page, the Onapsis Research Labs Threat Report: SAP ICMAD Vulnerabilities, and the Onapsis GitHub page for more information and apply necessary updates and mitigations.