CVE-2016-9563

MEDIUM KEV

SAP Netweaver Application Server Java - XXE

Title source: rule

Description

BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909.

References (4)

Scores

CVSS v3 6.5
EPSS 0.5844
EPSS Percentile 98.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitation Intel

CISA KEV 2021-11-03
VulnCheck KEV 2021-04-08
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2016-10369

Classification

CWE
CWE-611
Status published

Affected Products (2)

sap/netweaver_application_server_java
n/a/n/a

Timeline

Published Nov 23, 2016
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026