SAP NetWeaver Application Server Java
CVE-2010-5326
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack.
AnalysisAI
Remote unauthenticated code execution in SAP NetWeaver Application Server Java (pre-7.3) through the Invoker Servlet allows attackers to bypass authentication and execute arbitrary code. Confirmed actively exploited (CISA KEV) from 2013 through 2016 in 'Detour' attacks targeting SAP business applications. CVSS 10.0 with EPSS 16.90% (95th percentile) indicates both maximum theoretical severity and sustained real-world exploitation. This remains a critical priority for organizations running legacy SAP NetWeaver Java instances despite the vulnerability's age.
Technical ContextAI
The Invoker Servlet is a built-in component of SAP NetWeaver Application Server Java that provides dynamic servlet invocation capabilities. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function), where the Invoker Servlet endpoint accepts HTTP/HTTPS requests without requiring authentication credentials. SAP NetWeaver Application Server Java is the runtime platform for SAP's enterprise applications including ERP, CRM, and SCM solutions. The affected component allows arbitrary servlet class invocation through specially crafted URLs, effectively creating an authentication bypass path into the Java application server. This architectural flaw exists in versions prior to 7.3, though the exact version range affected is documented in SAP Note 1445998.
RemediationAI
Apply SAP Security Note 1445998 immediately, which provides patches and configuration guidance to disable or properly secure the Invoker Servlet component. Upgrade SAP NetWeaver Application Server Java to version 7.3 or later where the vulnerability is resolved. If immediate patching is impossible, implement emergency compensating controls: disable the Invoker Servlet entirely through Java EE configuration if not required for business operations (note: this may break applications relying on dynamic servlet invocation); restrict network access to NetWeaver Java HTTP/HTTPS ports (typically 50000, 50001) to authorized management networks only using firewall rules or network segmentation (trade-off: impacts legitimate remote access); deploy web application firewall (WAF) rules to block HTTP requests matching Invoker Servlet URL patterns (trade-off: requires pattern maintenance and may be bypassed). Consult Onapsis research documentation at http://www.onapsis.com/research/publications/sap-security-in-depth-vol4-the-invoker-servlet-a-dangerous-detour-into-sap-java-solutions and US-CERT Alert TA16-132A at http://www.us-cert.gov/ncas/alerts/TA16-132A for additional hardening guidance. Prioritize systems processing sensitive business data or connected to financial/HR systems.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
Java Runtime Environment 7 Update 21 and earlier allows remote attackers to escape the Java sandbox and execute arbitrar
A vulnerability, which was classified as critical, was found in spider-flow 0.4.3. Rated medium severity (CVSS 6.3), thi
Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CV
Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers t
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a r
Bypass/Injection vulnerability in Apache Camel components under particular conditions.10.0 through <= 4.10.1, from 4.8.0
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today