Onapsis and SAP have discovered three critical network exploitable vulnerabilities within Internet Communication Manager (ICM). It’s a core component of SAP business applications.

The first vulnerability received the highest possible risk score, a 10 out of 10. The other two received scores of 8.1 and 7.5, respectively. The Cybersecurity and Infrastructure Security Agency (CISA) is issuing an alert relating to these vulnerabilities.

These critical vulnerabilities could impact an estimated 40,000 SAP customers if they don’t install the patch.

Exploitation of the vulnerabilities, dubbed ICMAD, could allow an attacker to perform serious malicious activities. Those include:

SAP has patched these vulnerabilities. Both SAP and Onapsis advise impacted organizations to prioritize applying the fixes to their affected SAP applications immediately.

Exploitation Inevitable

JP Perez-Etchegoyen is Onapsis‘ CTO.

Onapsis’ JP Perez-Etchegoyen

“We have found no evidence of these vulnerabilities being exploited,” he said. “However, enterprises that have yet to install the patches are at extremely critical risk. As we have recently witnessed with threat groups like Elephant Beetle and BlackCat, business-critical applications remain a highly lucrative target. Threat actors have the sophistication, knowledge and tools to conduct successful exploits. So it’s only a matter of time before threat actors begin taking advantage of these vulnerabilities.”

In the past, cybercriminals have launched exploits after patches were released, Perez-Etchegoyen said.

These vulnerabilities are so critical because it’s challenging to differentiate a malicious request from a perfectly normal, benign request, Perez-Etchegoyen said. Moreover, they require no previous authentication, the exploitation is very simple and no preconditions are necessary.

The payloads can be sent through HTTP(S), SAP’s most widely used network service, he said.

Full System Takeover Possible

“Unpatched SAP NetWeaver applications, such as Java and Advanced Business Application Programming (ABAP), that are accessible through HTTP(S), or any applications sitting behind SAP Web Dispatcher, such as S/4HANA, are vulnerable,” Perez-Etchegoyen said. “If exploited by an attacker, this can lead to full system takeover.”

Onapsis Research Labs’ investigation of HTTP smuggling over the last year led to its discovery of the vulnerabilities. These vulnerabilities can be exploited in affected systems over the internet and pre-authentication. Multifactor authentication (MFA) controls won’t mitigate them.