Remote Code Execution via ICM HTTP Handler
This is a genuine P0. The exploit requires no authentication and affects externally-facing systems. If your ICM is internet-accessible — even partially — treat this as a weekend-cancelling emergency. Patch or WAF-restrict immediately.
Technical Detail
The Internet Communication Manager (ICM) in SAP NetWeaver fails to properly validate HTTP request headers before passing them to internal processing routines. An unauthenticated remote attacker can exploit this vulnerability by sending a specifically crafted request to the ICM HTTP port (typically 8000 or 443).
Successful exploitation results in arbitrary OS-level code execution under the `<sid>adm` account. This effectively grants the attacker full control over the SAP application server instance and potentially the connected database.
Affected Versions
Patch Info