Exploit for #VU78958 Inconsistent interpretation of HTTP requests in SAP products

Published: 2023-09-08 | Updated: 2025-04-04

Vulnerability identifier: #VU78958

Vulnerability risk: Critical

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: CVE-2022-22536

CWE-ID: CWE-444

Exploitation vector: Network

Exploits in database: 4

April 4, 2025
- SAPGateBreaker-Exploit (SAPGateBreaker is a PoC exploit for CVE-2022-22536, a critical HTTP Request Smuggling vulnerability in SAP NetWeaver. It demonstrates how to bypass ACLs by desynchronizing request parsing between ICM and backend services using craf [Github]
September 20, 2024
- CVE-2022-22536 (SAP memory pipes(MPI) desynchronization vulnerability CVE-2022-22536.) [Github]
November 7, 2023
- SAP-memory-pipes-desynchronization-vulnerability-MPI-CVE-2022-22536 () [Github]
September 8, 2023
- CVE-2022-22536 (SAP memory pipes(MPI) desynchronization vulnerability CVE-2022-22536.) [Github]

Vulnerable software:
SAP NetWeaver AS ABAP
Server applications / Application servers
SAP NetWeaver AS JAVA
Server applications / Application servers
SAP Content Server
Web applications / CMS
SAP Web Dispatcher WEBDISP
Server applications / Other server solutions

Vendor: SAP