Skip to Content
Product Information
Author's profile photo Vic Chung

SAP Partners with Onapsis to Identify and Patch Cybersecurity Vulnerabilities

Security risks online continue to grow at an alarming rate as malicious actors take advantage of the digital revolution. In 2021, the number of software supply chain attacks tripled, showing the need for constant security vigilance. As the global leader in business software, SAP bases its development processes on a comprehensive security strategy across the enterprise that relies on trainings, tools, and processes to deliver secure products and services. SAP remains committed to engaging and collaborating with key partners to provide our customers with the most secure environment possible.

As part of this ongoing commitment, the SAP Product Security Response team collaborated with OnapsisResearch Labs to discover and patch three critical memory corruption vulnerabilities that have affected the Internet Communication Manager (ICM). Onapsis, the leader in business-critical application cybersecurity and compliance, and SAP patched these vulnerabilities promptly, as ICM is a core component of SAP business applications.

SAP released three patches for all impacted systems of a possible security attack while Onapsis helped provide a free open-source vulnerability scanner tool to assist all SAP customers affected to immediately address these issues.

If your organization was impacted at all, SAP and Onapsis have advised users to prioritize applying Security Note 3123396 [CVE-2022-22536] to the affected SAP applications immediately. If your organization’s programwas exploited, these vulnerabilities, aka “ICMAD,” will enable attackers to execute serious malicious activity on SAP users, business information and processes.

As stated by Richard Puckett, SAP’s Chief Information Security Officer, “joining forces with partners helps usmaintain secure solutions for our global customer base. It is through collaboration with key partners like Onapsis that SAP customers can protect their businesses.

“These vulnerabilities can be exploited over the internet and without the need for attackers to be authenticated in the target systems, which makes them very critical,” said Mariano Nunez, CEO and co-founder of Onapsis. “We applaud SAP for their rapid response and working with Onapsis Research Labs after being notified by our experts. From swiftly issuing patches to working with our team to test the efficacy of those patches to proactively notifying impacted customers and the broader security community SAP is setting the bar for what vulnerability disclosure and response looks like and how working with trusted partners like Onapsis better protects its customers.”

What are the ICMAD Vulnerabilities?

ICM is the SAP component that enables HTTP(S) communications in SAP systems. Since ICM is exposed to the internet and untrusted networks by design, vulnerabilities in this component have an increased level of risk.

Recommendations Moving Forward

SAP and Onapsis are currently unaware of known customer breaches that relate to these vulnerabilities, but strongly advises impacted organizations to immediately apply Security Note 3123396 [CVE-2022-22536] to their affected SAP applications as soon as possible.

“As we have observed through recent threat intelligence, threat actors are actively targeting business-critical applications like SAP and have the expertise and tools to carry out sophisticated attacks,” said Nunez. “The discovery and patching of the ICMAD vulnerabilities as well as those previously identified by Onapsis Research Labs, such as RECON and 10KBLAZE, are essential to protecting the business-critical applications that power 92% of the Forbes Global 2000. I am proud of the work our researchers have done to bring these vulnerabilities to light so they could be mitigated and commend SAP for their response and collaboration.”

To learn about these vulnerabilities, join the upcoming webinar and download Onapsis’ latest threat report. SAP invites all customers to visit our Patch Day Wiki for the latest information about patches for SAP systems.

For more information about Onapsis Research Labs and details about its research, visit:


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Gregor Wolf
      Gregor Wolf

      Hi Vic,

      unfortunately the links you've provided only point to and not to the note directly: 3123396 - [CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher.


      Author's profile photo Vic Chung
      Vic Chung
      Blog Post Author

      Gregor, Thanks. Correction made. Vic

      Author's profile photo Juan Pablo Perez Etchegoyen
      Juan Pablo Perez Etchegoyen

      Thanks Vic for the super professional and customer-focused mindset you and the entire PSRT team maintain. As you know, we share the common objective of securing SAP customers and I believe we do that working together with and for these organizations. It is always challenging to handle and react to critical vulnerabilities but by raising awareness and providing all the necessary information  SAP and Onapsis are helping organizations to react timely.

      There is a lot of information out there so I would totally recommend organizations to review:

      1- The main SAP Security Note 3123396  as well as the FAQ (Great Resource!)

      2- The Onapsis Threat Report on ICMAD vulnerabilities and our blog

      3- The open source scanner released by Onapsis to detect if a given system is vulnerable or not.



      Author's profile photo Vic Chung
      Vic Chung
      Blog Post Author


      Likewise, a big thank you to the Onapsis team. We appreciate your partnership and expertise along the way.