CVE-2016-4014

HIGH

SAP NetWeaver JAVA AS 7.4 - XML External Entity Injection in UDDI Component

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-4014. PoCs published by murataydemir.

AI-analyzed exploit summary The repository contains functional exploit code demonstrating an XXE (XML External Entity) vulnerability in SAP Netweaver JAVA AS UDDI Component. The PoC includes crafted HTTP requests with malicious DTDs to trigger SSRF and external entity processing.

Description

XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote attackers to cause a denial of service (system hang) via a crafted DTD in an XML request to uddi/api/replication, aka SAP Security Note 2254389.

Exploits (1)

nomisec WORKING POC 2 stars

by murataydemir · poc

https://github.com/murataydemir/CVE-2016-4014

View Code ZIP pw:eip

The repository contains functional exploit code demonstrating an XXE (XML External Entity) vulnerability in SAP Netweaver JAVA AS UDDI Component. The PoC includes crafted HTTP requests with malicious DTDs to trigger SSRF and external entity processing.

Classification

Working Poc 95%

Attack Type

Xxe

Complexity

Trivial

Reliability

Reliable

Target: SAP Netweaver JAVA AS UDDI Component

No auth needed

Prerequisites: Network access to the vulnerable SAP Netweaver JAVA AS UDDI endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1204.001 - Malicious Link

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2016/Jul/45

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/137919/SAP-NetWeaver-AS-JAVA-7.4-XXE-Injection.html

Third Party Advisory x_refsource_misc

https://erpscan.io/press-center/blog/dos-vulnerabilities-on-the-rise-sap-security-notes-april-2016/

Third Party Advisory x_refsource_misc

https://erpscan.io/advisories/erpscan-16-020-sap-netweaver-java-uddi-component-xxe-vulnerability/

Scores

CVSS v3 8.6

EPSS 0.0526

EPSS Percentile 91.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Details

Status published

Products (1)

sap/netweaver 7.4

Published Apr 14, 2016

Tracked Since Feb 18, 2026