CVE-2022-28773 in Web Dispatcher
Summary
by MITRE • 04/12/2022
Due to an uncontrolled recursion in SAP Web Dispatcher and SAP Internet Communication Manager, the application may crash, leading to denial of service, but can be restarted automatically.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/25/2026
The vulnerability identified as CVE-2022-28773 resides within SAP Web Dispatcher and SAP Internet Communication Manager components, representing a critical security flaw that manifests through uncontrolled recursion patterns. This issue affects the core communication infrastructure of SAP systems, where the improper handling of recursive calls can lead to system instability and operational disruption. The vulnerability specifically targets the internal processing mechanisms of these SAP components, which serve as essential gateways for external communication and application access within enterprise environments.
The technical flaw stems from inadequate input validation and recursive call management within the SAP Web Dispatcher and SAP Internet Communication Manager modules. When malformed or specially crafted requests are processed by these components, the recursive functions fail to implement proper termination conditions, leading to infinite loops that consume system resources and ultimately cause application crashes. This uncontrolled recursion pattern can be triggered through various attack vectors including malformed HTTP requests, malformed URLs, or manipulated communication protocols that exploit the recursive processing logic. The vulnerability is classified under CWE-674, which specifically addresses Uncontrolled Recursion, a well-documented weakness that has been exploited in numerous security incidents across different software platforms.
The operational impact of this vulnerability extends beyond simple service disruption, as it creates a significant risk for business continuity and system availability within SAP environments. Organizations relying on SAP Web Dispatcher for load balancing, routing, and communication management face potential denial of service scenarios that can affect critical business processes and user access. While the affected applications can restart automatically, this recovery mechanism does not address the underlying security risk and may leave systems vulnerable to repeated attacks. The automatic restart functionality, while providing some resilience, can also be exploited by attackers to create persistent denial of service conditions through repeated triggering of the vulnerability, potentially exhausting system resources and causing extended downtime.
Organizations should implement immediate mitigations including network-level filtering to prevent malformed requests from reaching affected SAP components, application-level input validation to detect and block suspicious recursive patterns, and monitoring systems to detect unusual resource consumption patterns that may indicate exploitation attempts. The vulnerability aligns with ATT&CK technique T1499.004, which covers Network Denial of Service, and represents a classic example of how improper recursion handling can be leveraged for denial of service attacks. Security teams should also consider implementing rate limiting and connection throttling mechanisms to reduce the effectiveness of automated exploitation attempts. Additionally, regular security assessments and penetration testing should be conducted to identify similar recursion vulnerabilities within the broader SAP ecosystem and other application components that may be susceptible to similar flaws.