CVE-2016-3976

HIGH KEV

SAP NetWeaver AS Java <7.6 - Path Traversal

Title source: llm

Exploitation Summary

CVE-2016-3976 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 1 public exploit from researchers including ERPScan.

AI-analyzed exploit summary This is a detailed advisory for CVE-2016-3976, a directory traversal vulnerability in SAP NetWeaver AS JAVA 7.1-7.5. The vulnerability allows an authorized attacker to read arbitrary files from the server via the CrashFileDownloadServlet endpoint.

Description

Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971.

Exploits (1)

exploitdb WRITEUP

by ERPScan · textwebappsjava

https://www.exploit-db.com/exploits/39996

View Code ZIP pw:eip

This is a detailed advisory for CVE-2016-3976, a directory traversal vulnerability in SAP NetWeaver AS JAVA 7.1-7.5. The vulnerability allows an authorized attacker to read arbitrary files from the server via the CrashFileDownloadServlet endpoint.

Classification

Writeup 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: SAP NetWeaver AS JAVA 7.1 - 7.5

Auth required

Prerequisites: Access to the SAP NetWeaver AS JAVA application · Valid authentication credentials

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7

Core References

Third Party Advisory x_refsource_misc

https://erpscan.io/press-center/blog/sap-security-notes-march-2016-review/

Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2016/Jun/40

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/137528/SAP-NetWeaver-AS-JAVA-7.5-Directory-Traversal.html

Third Party Advisory x_refsource_misc

https://erpscan.io/advisories/erpscan-16-012/

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/39996/

Permissions Required x_refsource_misc

https://launchpad.support.sap.com/#/notes/2234971

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3976

Scores

CVSS v3 7.5

EPSS 0.4633

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact partial

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-04-08

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2016-4985

CWE

CWE-22

Status published

Products (1)

sap/netweaver_application_server_java 7.10 - 7.50

Published Apr 07, 2016

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026