News

SAP fixes serious bug in ICM software that allows system takeover

By admin
Spread the love

Software vendor SAP has released patches for a number of vulnerabilities in many of its products. Meanwhile, US authorities warn against fixing the vulnerabilities. They have high CVSS scores and enable remote code executions.

SAP has fixed a total of 14 vulnerabilities during its monthly patch cycle. Some of it fixes the log4j vulnerability found in December. The company was pointed out to some of the other vulnerabilities by security company Onapsis. That saw multiple bugs in SAP’s Internet Communication Manager. Onapsis calls that collection of bugs Icmad. The ICM software is an important part of NetWeaver, which is in many of SAP’s products.

The three vulnerabilities reported by Onapsis are CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533. The first is the most serious; it gets a CVSS score of 10. According to Onapsis, the bug is easy to exploit by just sending a payload to a vulnerable system. No authentication or specific configuration is required for this. An attacker can thus completely take over a system or run code on it.

The researchers have made a free tool available that allows system administrators to scan their networks for the vulnerability. As far as is known, the leak is not actively exploited. Meanwhile, the American Cybersecurity and Infrastructure Security Agency also warns about the vulnerability. The agency is calling on administrators to install the patch as soon as possible.

You might also like
News

EU Council determines position on security requirements for digital products

News

Meta introduces open source language model Llama 2, works on PCs and phones

News

Valve releases major Team Fortress 2 update with community maps and new taunts

News

Senate adopts bill to make doxing a punishable offense

News

Apple withdraws Rapid Security Response security update for WebKit vulnerability

News

European Commission adopts successor to Privacy Shield data transfer treaty