CVE-2010-5326

CRITICAL KEV

SAP NetWeaver Application Server Java <7.3 - RCE

Title source: llm

Description

The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack.

References (7)

[Permissions Required] http://service.sap.com/sap/support/notes/1445998

[Broken Link] http://www.onapsis.com/research/publications/sap-security-in-depth-vol4-the-invoker-servlet-a-dangerous-detour-into-sap-java-solutions

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/48925

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/90533

[Third Party Advisory, US Government Resource] http://www.us-cert.gov/ncas/alerts/TA16-132A

[Third Party Advisory] https://www.onapsis.com/threat-report-tip-iceberg-wild-exploitation-cyber-attacks-sap-business-applications

[Third Party Advisory, US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-5326

Scores

CVSS v3 10.0

EPSS 0.1318

EPSS Percentile 94.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

CISA KEV 2021-11-03

VulnCheck KEV 2016-05-13

InTheWild.io 2021-04-20

ENISA EUVD EUVD-2010-5284

CWE

CWE-306

Status published

Products (1)

sap/netweaver_application_server_java < 7.30

Published May 13, 2016

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026