CVE-2016-2388

MEDIUM KEV

SAP NetWeaver AS JAVA 7.10-7.50 - Exposure of Sensitive Information via Universal Worklist Configuration

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2016-2388 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 9, 2022. EIP tracks 3 public exploits from researchers including Vahagn Vardanyan, ERPScan.

AI-analyzed exploit summary This exploit demonstrates a time-based SQL injection (CVE-2016-2386) in SAP NetWeaver AS Java UDDI 7.11-7.50, leveraging information disclosure (CVE-2016-2388) to retrieve administrator credentials. It uses a SOAP request to extract password hashes via blind SQLi.

Description

The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846.

Exploits (3)

exploitdb WORKING POC
by Vahagn Vardanyan · pythonwebappsmultiple
https://www.exploit-db.com/exploits/43495

This exploit demonstrates a time-based SQL injection (CVE-2016-2386) in SAP NetWeaver AS Java UDDI 7.11-7.50, leveraging information disclosure (CVE-2016-2388) to retrieve administrator credentials. It uses a SOAP request to extract password hashes via blind SQLi.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: SAP NetWeaver AS Java UDDI 7.11-7.50
No auth needed
Prerequisites: Network access to SAP NetWeaver AS Java UDDI service · SOAP endpoint exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP
by ERPScan · textwebappsxml
https://www.exploit-db.com/exploits/39841

This is a detailed advisory describing an information disclosure vulnerability in SAP NetWeaver AS JAVA 7.1-7.5. The vulnerability allows an anonymous attacker to retrieve a list of SAP users via a specific HTTP request to a WebDynpro resource.

Classification
Writeup 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: SAP NetWeaver AS JAVA 7.1-7.5
No auth needed
Prerequisites: Access to the SAP NetWeaver AS JAVA server on port 50000
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
infoleak
https://github.com/vah13/SAP_exploit

This repository contains a functional Python exploit for CVE-2016-2386, a time-based SQL injection vulnerability in SAP NetWeaver AS Java UDDI 7.11-7.50. The exploit demonstrates the vulnerability by extracting hashed credentials from the UME_STRINGS table and includes detailed technical explanations of the attack vector.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: SAP NetWeaver AS Java UDDI 7.11-7.50
No auth needed
Prerequisites: Network access to the SAP NetWeaver AS Java UDDI service
devstral-2 · analyzed Feb 25, 2026 Full analysis →

References (8)

Core 8
Core References
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2016/May/55
Broken Link, Third Party Advisory x_refsource_misc
https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39841/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43495/

Scores

CVSS v3 5.3
EPSS 0.5127
EPSS Percentile 98.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact partial

Details

CISA KEV 2022-06-09
VulnCheck KEV 2022-06-09
InTheWild.io 2022-06-09
ENISA EUVD EUVD-2016-3472
CWE
CWE-200
Status published
Products (1)
sap/netweaver_application_server_java 7.10 - 7.50
Published Feb 16, 2016
KEV Added Jun 09, 2022
Tracked Since Feb 18, 2026