Critical severity10.0CISA KEVNVD Advisory· Published May 13, 2016· Updated Jun 16, 2026
CVE-2010-5326
CVE-2010-5326
Description
The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:sap:netweaver_application_server_java:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:sap:netweaver_application_server_java:*:*:*:*:*:*:*:*range: <=7.30
- (no CPE)range: < 7.3
Patches
Vulnerability mechanics
References
7- www.securityfocus.com/bid/48925nvdThird Party AdvisoryVDB Entry
- www.securityfocus.com/bid/90533nvdThird Party AdvisoryVDB Entry
- www.us-cert.gov/ncas/alerts/TA16-132AnvdThird Party AdvisoryUS Government Resource
- www.onapsis.com/threat-report-tip-iceberg-wild-exploitation-cyber-attacks-sap-business-applicationsnvdThird Party Advisory
- service.sap.com/sap/support/notes/1445998nvdPermissions Required
- www.onapsis.com/research/publications/sap-security-in-depth-vol4-the-invoker-servlet-a-dangerous-detour-into-sap-java-solutionsnvdBroken Link
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government Resource
News mentions
0No linked articles in our index yet.