⚠ Actively exploited

Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2010-5326 — Missing Authentication for Critical Function in SAP Netweaver Application Server Java

CWE-306 — Missing Authentication for Critical Function5 documents5 sources

Severity

10.0CRITICALNVD

EPSS

16.9%

top 5.03%

CISA KEV

KEV

Added 2021-11-03

Due 2022-05-03

Exploit

Exploited in wild

Active exploitation observed

Affected products

SAP Netweaver Application Server Java

Timeline

PublishedMay 13

KEV addedNov 3

KEV dueMay 3

Latest updateMay 13

CISA Required Action: Apply updates per vendor instructions.

Description

The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages1 packages

▶NVDsap/netweaver_application7.30

🔴Vulnerability Details

GHSA

GHSA-w5jq-q2q7-wx7x: The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7↗2022-05-13

▶

CVEList

CVE-2010-5326: The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7↗2016-05-13

▶

VulnCheck

SAP NetWeaver Remote Code Execution Vulnerability↗2010

▶

📋Vendor Advisories

CISA

SAP NetWeaver Remote Code Execution Vulnerability↗2021-11-03

▶