CVE-2010-5326

CRITICAL
2016-05-13 [email protected]
10.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 11:17 vuln.today
Added to CISA KEV
Oct 22, 2025 - 00:15 cisa
CISA KEV
CVE Published
May 13, 2016 - 10:59 nvd
CRITICAL 10.0

Description

The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack.

Analysis

SAP NetWeaver Application Server Java exposes the Invoker Servlet without authentication, allowing unauthenticated remote code execution via HTTP/HTTPS requests. Exploited in the wild from 2013 through 2016 in the 'Detour' attack.

Technical Context

The CWE-306 missing authentication flaw exposes the /invoker/JMXInvokerServlet and similar servlets without requiring any authentication. Attackers can directly invoke server-side Java methods, including those capable of executing operating system commands, through crafted HTTP requests.

Affected Products

['SAP NetWeaver Application Server Java versions before 7.3']

Remediation

Disable the Invoker Servlet immediately. Apply SAP security notes. Restrict network access to SAP application servers. Audit for signs of historical compromise given the 2013-2016 exploitation window.

Priority Score

127
Low Medium High Critical
KEV: +50
EPSS: +16.9
CVSS: +50
POC: 0

Share

CVE-2010-5326 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy