CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2022-22536

CVSS 10.0v3.1pub. 2022-02-09upd. 2026-02-25

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Sap Content Server

    APP
    Sap
    7.53
  • Sap Netweaver Application Server Abap

    APP
    Sap
    7.227.497.537.777.817.857.867.878.04krnl64nuc_7.22krnl64nuc_7.22extkrnl64nuc_7.49krnl64uc_7.22krnl64uc_7.22extkrnl64uc_7.49+ 2 więcej
  • Sap Web Dispatcher

    APP
    Sap
    7.22ext7.497.537.777.817.857.867.87

CISA KEV — detailsi

Vendori
SAP
Producti
Multiple Products
Added to KEVi
August 18, 2022
Remediation deadline (US Federal)i
September 8, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling. An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary Web caches.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 8 września 2022
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-0488CRITICAL9.9PL ✓ten sam produkt

SAP CRM / S/4HANA Scripting Editor — nieautoryzowane wykonanie SQL

CVE-2023-40309CRITICAL9.8ten sam produkt

SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong aut...

CVE-2023-27269CRITICAL9.6ten sam produkt

SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752,...

CVE-2023-27500CRITICAL9.6ten sam produkt

An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO ...

CVE-2023-0014CRITICAL9.0ten sam produkt

SAP NetWeaver ABAP Server and ABAP Platform - versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, ...