CVE-2010-5326 in Netweaver Java Application Server
Summary
by MITRE
The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/23/2026
The vulnerability identified as CVE-2010-5326 represents a critical authentication bypass flaw in SAP NetWeaver Application Server Java platforms that existed prior to version 7.3. This vulnerability specifically affects the Invoker Servlet component which serves as a Java servlet container for executing remote method invocations. The flaw stems from the absence of proper authentication mechanisms within this servlet, creating an exploitable entry point that allows unauthorized remote attackers to execute arbitrary code on affected systems. The vulnerability gained significant attention during the 2013 through 2016 period when it was actively exploited in the wild, demonstrating the severe impact such authentication bypass vulnerabilities can have on enterprise environments.
The technical nature of this vulnerability can be categorized under CWE-287, which addresses improper authentication issues in software systems. The Invoker Servlet operates as a remote method invocation endpoint that typically requires authentication to prevent unauthorized access to Java methods and services. However, due to the missing authentication checks, attackers could craft specially formatted HTTP or HTTPS requests that would be processed by the servlet without proper verification of the requester's credentials. This flaw essentially allows attackers to bypass all authentication mechanisms and directly invoke Java methods on the target system, enabling complete control over the affected platform.
The operational impact of CVE-2010-5326 extends far beyond simple code execution capabilities, as it provides attackers with complete system compromise. Once exploited, adversaries could perform a wide range of malicious activities including data exfiltration, privilege escalation, lateral movement within the network, and establishment of persistent backdoors. The vulnerability's exploitation aligns with ATT&CK technique T1059.007 for application layer command execution and T1078 for valid accounts usage, as attackers would leverage the system's legitimate Java execution capabilities to gain unauthorized access. Organizations running affected SAP systems were particularly vulnerable since SAP NetWeaver is commonly used for enterprise application hosting, making these systems attractive targets for cybercriminals seeking to establish persistent access to corporate networks.
The exploitation of this vulnerability through what became known as "Detour" attacks demonstrates how attackers could leverage the Invoker Servlet to bypass traditional security controls and gain unauthorized access to enterprise systems. The attack methodology typically involved sending crafted requests to the vulnerable servlet endpoint, which would then execute the requested Java code without proper authentication. This type of attack represents a sophisticated approach to bypassing security controls, as it exploits the legitimate functionality of the application server rather than attempting to exploit other system weaknesses. The vulnerability's persistence in the wild for several years after its discovery highlights the importance of maintaining up-to-date security patches and the potential damage that can occur when authentication bypass vulnerabilities remain unaddressed in production environments. Organizations were advised to implement immediate mitigations including patching affected systems, disabling the Invoker Servlet, and implementing network segmentation to limit the impact of such attacks on their overall security posture.