CVE-2010-5326
CVE-2010-5326
In short
SAP NetWeaver's Invoker Servlet allows anyone on the internet to execute code without logging in, making it possible for attackers to take complete control of the server.
Technical detail
The Invoker Servlet in SAP NetWeaver Application Server Java (versions before 7.3) lacks authentication controls (CWE-306), enabling unauthenticated remote code execution via HTTP/HTTPS requests. This vulnerability was actively exploited in the wild from 2013-2016 and permits arbitrary code execution with full system privileges.
Summary generated and translated by AI from the official description.
The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://service.sap.com/sap/support/notes/1445998https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-5326https://www.onapsis.com/threat-report-tip-iceberg-wild-exploitation-cyber-attacks-sap-business-applicationshttp://www.onapsis.com/research/publications/sap-security-in-depth-vol4-the-invoker-servlet-a-dangerous-detour-into-sap-java-solutionshttp://www.securityfocus.com/bid/48925http://www.securityfocus.com/bid/90533http://www.us-cert.gov/ncas/alerts/TA16-132A