Cyber Resilience

CVE-2022-22536

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 09 February 2022

Published
09 February 2022
Modified
25 February 2026
KEV Added
18 August 2022
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9383 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-22536 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Sap Netweaver Application Server Abap. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53, and SAP Web Dispatcher are affected by a request smuggling and request concatenation vulnerability tracked as CVE-2022-22536. The flaw, assigned CWE-444, permits an unauthenticated remote attacker to prepend arbitrary data to a victim's HTTP request, which can be used to manipulate how the server processes subsequent requests.

An attacker can exploit the issue over the network without authentication or user interaction to impersonate the victim and invoke functions on their behalf or to poison intermediary web caches. Successful exploitation yields complete loss of confidentiality, integrity, and availability, reflected in the CVSS 3.1 base score of 10.0.

SAP has published remediation details in security note 3123396 and the associated February 2022 security patch release, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog, confirming observed in-the-wild activity. The associated EPSS score has remained at a persistently high level, with a current value of 0.9383 and a recorded peak of 0.9683.

EU & UK References

Vulnerability details

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This…

more

way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.

CWE(s)
KEV Date Added
18 August 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sap
content server
7.53
sap
netweaver application server abap
7.22, 7.49, 7.53, 7.77, 7.81
sap
web dispatcher
7.22ext, 7.49, 7.53, 7.77, 7.81

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of HTTP request syntax and headers to block smuggling/concatenation attempts that prepend attacker data.

prevent

Enforces boundary-level inspection and filtering of HTTP traffic at SAP Web Dispatcher and AS components to stop request smuggling before it reaches backend servers.

prevent

Controls information flow between clients and SAP services, limiting the ability of malformed concatenated requests to impersonate users or poison caches.

References