Login Sign Up

CVE-2022-28773

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2022-28773 is an uncontrolled recursion vulnerability in SAP Web Dispatcher and SAP Internet Communication Manager that can cause a denial of service through application crashes. The affected components may restart automatically after crashing, but repeated exploitation could lead to service disruption. Organizations running vulnerable versions of SAP Web Dispatcher or SAP ICM are affected.

💻 Affected Systems

Products:
  • SAP Web Dispatcher
  • SAP Internet Communication Manager
Versions: Multiple versions - see SAP Note 3111293 for specific affected versions
Operating Systems: All supported SAP platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Affects both SAP Web Dispatcher and SAP ICM components; vulnerability exists in the core processing logic.

📦 What is this software?

Netweaver by Sap

View all CVEs affecting Netweaver →

Netweaver by Sap

View all CVEs affecting Netweaver →

Netweaver by Sap

View all CVEs affecting Netweaver →

Netweaver by Sap

View all CVEs affecting Netweaver →

Netweaver by Sap

View all CVEs affecting Netweaver →

Netweaver by Sap

View all CVEs affecting Netweaver →

Netweaver by Sap

View all CVEs affecting Netweaver →

Netweaver by Sap

View all CVEs affecting Netweaver →

Netweaver by Sap

View all CVEs affecting Netweaver →

Netweaver by Sap

View all CVEs affecting Netweaver →

Web Dispatcher by Sap

View all CVEs affecting Web Dispatcher →

Web Dispatcher by Sap

View all CVEs affecting Web Dispatcher →

Web Dispatcher by Sap

View all CVEs affecting Web Dispatcher →

Web Dispatcher by Sap

View all CVEs affecting Web Dispatcher →

Web Dispatcher by Sap

View all CVEs affecting Web Dispatcher →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Repeated exploitation causes sustained denial of service, preventing legitimate users from accessing SAP applications and disrupting business operations.

🟠

Likely Case

Intermittent service disruptions with automatic restarts, causing temporary availability issues and potential performance degradation.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring; crashes would be detected and systems would automatically recover.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability can be triggered remotely without authentication, making it relatively easy to exploit for denial of service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Security Note 3111293

Vendor Advisory: https://launchpad.support.sap.com/#/notes/3111293

Restart Required: Yes

Instructions:

1. Download SAP Note 3111293 from SAP Support Portal. 2. Apply the security patch following SAP standard patching procedures. 3. Restart the affected SAP Web Dispatcher or ICM services. 4. Verify the patch is applied correctly.

🔧 Temporary Workarounds

Network Access Control

all

Restrict network access to SAP Web Dispatcher and ICM to trusted sources only

Load Balancer Configuration

all

Configure load balancers to detect and block malicious traffic patterns

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to limit access to SAP components
  • Deploy monitoring and alerting for abnormal crash/restart patterns in SAP services

🔍 How to Verify

Check if Vulnerable:

Check if SAP Security Note 3111293 is applied using SAP Note Assistant or transaction SNOTE

Check Version:

Check SAP system version using transaction SM51 or SM50

Verify Fix Applied:

Verify SAP Note 3111293 is marked as implemented in transaction SNOTE and check system logs for successful patch application

📡 Detection & Monitoring

Log Indicators:

  • Frequent SAP Web Dispatcher/ICM crashes
  • Automatic restart logs
  • Stack overflow or recursion errors in system logs

Network Indicators:

  • Unusual traffic patterns to SAP Web Dispatcher ports
  • Multiple connection attempts triggering crashes

SIEM Query:

source="sap_system_logs" AND ("crash" OR "restart" OR "stack overflow") AND ("webdispatcher" OR "icm")

📊 Metadata

CVE ID: CVE-2022-28773
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-674
Published: April 12, 2022
Last Updated: February 25, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28773, you might also want to check these:

CVE-2023-51803 9.8

This vulnerability in Heimdall allows attackers to upload malicious icons containing PHP code, poten...

Same vulnerability type (CWE-674)
CVE-2024-37973 8.8

CVE-2024-37973 is a Secure Boot security feature bypass vulnerability that allows attackers to circu...

Same vulnerability type (CWE-674)
CVE-2024-20311 8.6

An unauthenticated remote attacker can send specially crafted LISP packets to vulnerable Cisco devic...

Same vulnerability type (CWE-674)