Skip to main content

SAP NetWeaver Application Server Java CVE-2010-5326

CRITICAL
Missing Authentication for Critical Function (CWE-306)
2016-05-13 cve@mitre.org
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Apr 21, 2026 - 15:31 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 21, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Mar 26, 2026 - 11:17 vuln.today
Added to CISA KEV
Oct 22, 2025 - 00:15 cisa
CISA KEV
CVE Published
May 13, 2016 - 10:59 nvd
CRITICAL 10.0

DescriptionCVE.org

The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack.

AnalysisAI

Remote unauthenticated code execution in SAP NetWeaver Application Server Java (pre-7.3) through the Invoker Servlet allows attackers to bypass authentication and execute arbitrary code. Confirmed actively exploited (CISA KEV) from 2013 through 2016 in 'Detour' attacks targeting SAP business applications. CVSS 10.0 with EPSS 16.90% (95th percentile) indicates both maximum theoretical severity and sustained real-world exploitation. This remains a critical priority for organizations running legacy SAP NetWeaver Java instances despite the vulnerability's age.

Technical ContextAI

The Invoker Servlet is a built-in component of SAP NetWeaver Application Server Java that provides dynamic servlet invocation capabilities. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function), where the Invoker Servlet endpoint accepts HTTP/HTTPS requests without requiring authentication credentials. SAP NetWeaver Application Server Java is the runtime platform for SAP's enterprise applications including ERP, CRM, and SCM solutions. The affected component allows arbitrary servlet class invocation through specially crafted URLs, effectively creating an authentication bypass path into the Java application server. This architectural flaw exists in versions prior to 7.3, though the exact version range affected is documented in SAP Note 1445998.

RemediationAI

Apply SAP Security Note 1445998 immediately, which provides patches and configuration guidance to disable or properly secure the Invoker Servlet component. Upgrade SAP NetWeaver Application Server Java to version 7.3 or later where the vulnerability is resolved. If immediate patching is impossible, implement emergency compensating controls: disable the Invoker Servlet entirely through Java EE configuration if not required for business operations (note: this may break applications relying on dynamic servlet invocation); restrict network access to NetWeaver Java HTTP/HTTPS ports (typically 50000, 50001) to authorized management networks only using firewall rules or network segmentation (trade-off: impacts legitimate remote access); deploy web application firewall (WAF) rules to block HTTP requests matching Invoker Servlet URL patterns (trade-off: requires pattern maintenance and may be bypassed). Consult Onapsis research documentation at http://www.onapsis.com/research/publications/sap-security-in-depth-vol4-the-invoker-servlet-a-dangerous-detour-into-sap-java-solutions and US-CERT Alert TA16-132A at http://www.us-cert.gov/ncas/alerts/TA16-132A for additional hardening guidance. Prioritize systems processing sensitive business data or connected to financial/HR systems.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2013-2460 CRITICAL POC
9.3 Jun 18

Java Runtime Environment 7 Update 21 and earlier allows remote attackers to escape the Java sandbox and execute arbitrar

CVE-2024-0195 MEDIUM POC
6.3 Jan 02

A vulnerability, which was classified as critical, was found in spider-flow 0.4.3. Rated medium severity (CVSS 6.3), thi

CVE-2026-20131 CRITICAL POC
10.0 Mar 04

Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CV

CVE-2026-34197 HIGH POC
8.8 Apr 07

Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers t

CVE-2021-44832 MEDIUM
6.6 Dec 28

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a r

CVE-2025-27636 MEDIUM POC
5.6 Mar 09

Bypass/Injection vulnerability in Apache Camel components under particular conditions.10.0 through <= 4.10.1, from 4.8.0

Share

CVE-2010-5326 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy