Cyber Resilience

CVE-2022-22532

Critical

Published: 09 February 2022

Published
09 February 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0590 90.8th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-22532 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Sap Netweaver Application Server Java. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-22532 is a critical remote code execution vulnerability in SAP NetWeaver Application Server Java affecting multiple kernel components, specifically KRNL64NUC 7.22/7.22EXT/7.49, KRNL64UC 7.22/7.22EXT/7.49/7.53, and KERNEL 7.22/7.49/7.53. The flaw stems from improper handling of shared memory buffers when processing crafted HTTP server requests, classified under CWE-444.

An unauthenticated attacker with network access can submit a maliciously formed HTTP request to trigger the issue. Successful exploitation allows arbitrary payload execution, enabling the attacker to impersonate the victim user or steal the victim's logon session, with a CVSS 3.1 score of 9.8 reflecting the absence of required authentication or user interaction.

SAP security advisories direct customers to SAP Note 3123427 and the February 2022 security patch day document for remediation details and available corrections.

The associated EPSS score has remained flat at a peak of 0.0590 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling. This could…

more

allow the malicious payload to be executed and hence execute functions that could be impersonating the victim or even steal the victim's logon session.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sap
netweaver application server java
7.22, 7.49, 7.53, krnl64nuc_7.22, krnl64nuc_7.22ext

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References