SAP Patches Severe ‘ICMAD’ Bugs

SAP’s Patch Tuesday brought fixes for a trio of flaws in the ubiquitous ICM component in internet-exposed apps. One of them, with a risk score of 10, could allow attackers to hijack identities, steal data and more.

There’s a trio of critical vulnerabilities, fixed on Tuesday, in SAP business applications that use the ubiquitous Internet Communication Manager (ICM): the component that gives SAP products the HTTPS web server they need to connect to the internet or talk to each other.

The vulnerabilities, discovered by Onapsis Research Labs, are tracked as CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533. The first CVE, addressed in Security Note 3123396, received the tip-top risk score – a 10 out of 10. The other two CVEs received scores of 8.1 and 7.5, respectively.

The issues are severe enough that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a security advisory about them this week. And, in a blog post, SAP director of security response Vic Chung confirmed the severity of Onapsis’ findings. He said that if they aren’t remediated, the bugs – aka “ICMAD” – “will enable attackers to execute serious malicious activity on SAP users, business information and processes.”

Specifically, successful exploitation

Read More: