How to find SAP NetWeaver instances on your network


Latest SAP NetWeaver vulnerability #

A set of recently patched SAP vulnerabilities has been surfaced by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), with their recommendation to patch as soon as possible. Discovered and disclosed by security researchers at Onapsis, these three vulnerabilities are referred to as ICMAD and affect SAP applications which utilize the SAP Internet Communication Manager (ICM).

Which SAP NetWeaver versions are affected? #

Some versions of SAP NetWeaver contain all three of these ICMAD vulnerabilities:

  • CVE-2022-22536 (CVSS "critical" score of 10.0) - vulnerable to request smuggling and request concatenation, successful exploitation by an unauthenticated attacker resulting in code execution, victim impersonation, data exfiltration, denial of service, and more. In addition to NetWeaver, some versions of SAP Web Dispatcher and SAP Content Server also contain this vulnerability.
  • CVE-2022-22532 (CVSS "high" score of 8.1) - vulnerability in shared memory handling, successful exploitation by an unauthenticated attacker resulting in code execution, victim impersonation, or taking over the victim's logon session.
  • CVE-2022-22533 (CVSS "low" score of 3.7) - vulnerability in error handling which could result in a denial of service attack by exhausting available memory, leading to system shutdown.

Is a security patch available? #

Yes. SAP made patched software available earlier this week. While there currently are no known customer breaches related to exploitation of the ICMAD vulnerabilities, SAP does strongly recommend that admins update to the latest available versions as soon as possible.

How do I find potentially vulnerable SAP NetWeaver instances with runZero? #

From the Asset Inventory, use the following pre-built query to locate SAP NetWeaver assets within your network that are potentially vulnerable:

Find SAP instances

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.

Try runZero #

Don't have runZero and need help finding potentially vulnerable SAP instances? Start your runZero trial today.

Written by Pearce Barry

More about Pearce Barry
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Articles

Rapid Response
How to find Palo Alto Network firewalls running PAN-OS 11.1, 11.0, and 10.2
Palo Alto Networks disclosed that versions of their PAN-OS software have a vulnerability allowing for remote command injection. Here's how to find...
Rapid Response
How to find CrushFTP services
CrushFTP disclosed that versions of their file transfer software have a vulnerability allowing unauthenticated file system access. Here's how to...
Rapid Response
How to find outdated lighttpd services
Outdated versions of the open source lighttpd web server are vulnerable to a handful of security vulnerabilities
Rapid Response
How to find D-Link NAS Storage devices
D-Link has disclosed multiple vulnerabilities in their D-Link NAS Storage products. Here's how to find potentially impacted devices.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved