CVE-2022-22532
Published: 09 February 2022
Summary
CVE-2022-22532 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Sap Netweaver Application Server Java. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-22532 is a critical remote code execution vulnerability in SAP NetWeaver Application Server Java affecting multiple kernel components, specifically KRNL64NUC 7.22/7.22EXT/7.49, KRNL64UC 7.22/7.22EXT/7.49/7.53, and KERNEL 7.22/7.49/7.53. The flaw stems from improper handling of shared memory buffers when processing crafted HTTP server requests, classified under CWE-444.
An unauthenticated attacker with network access can submit a maliciously formed HTTP request to trigger the issue. Successful exploitation allows arbitrary payload execution, enabling the attacker to impersonate the victim user or steal the victim's logon session, with a CVSS 3.1 score of 9.8 reflecting the absence of required authentication or user interaction.
SAP security advisories direct customers to SAP Note 3123427 and the February 2022 security patch day document for remediation details and available corrections.
The associated EPSS score has remained flat at a peak of 0.0590 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-27678
Vulnerability details
In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling. This could…
more
allow the malicious payload to be executed and hence execute functions that could be impersonating the victim or even steal the victim's logon session.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.