CVE-2010-5326

What is SAP NetWeaver Application Server Java?

SAP NetWeaver Application Server Java (AS Java) is the Java-based application server component of the SAP NetWeaver platform — the foundation layer for enterprise SAP applications including SAP Enterprise Portal, Process Integration (PI), Business Warehouse (BW), and Solution Manager. SAP NetWeaver AS Java is deployed in large enterprises, government agencies, and critical infrastructure operators worldwide to run mission-critical ERP, financial, and logistics systems. The SAP NetWeaver AS Java server includes an administrative web interface and numerous servlets for application management. Access to the SAP administrative stack typically provides pathways to an organization's most sensitive data — financial records, HR data, supply chain information, and business intelligence — making SAP systems high-priority targets for nation-state and financially motivated threat actors.

Overview

CVE-2010-5326 is a maximum-severity remote code execution vulnerability (CVSS 10.0, Scope:Changed) in SAP NetWeaver Application Server Java. The Invoker Servlet component of the SAP Java EE application server allows any HTTP servlet to be invoked directly by URL without authentication. An unauthenticated remote attacker can use this to invoke any deployed servlet — including administrative and management servlets — and execute arbitrary Java code on the SAP server. The Scope:Changed designation reflects that compromising the SAP application server grants access to all data and systems integrated with it, extending impact beyond the server itself. CISA added CVE-2010-5326 to the inaugural KEV catalog in November 2021.

Affected Versions

Note: The vulnerability affects SAP NetWeaver AS Java configurations where the Invoker Servlet is enabled (a common default). Customers should verify current SAP Security Notes for their specific version.

Technical Details

The Invoker Servlet is a legacy Java EE mechanism — present in older application servers — that enables direct HTTP invocation of any servlet by constructing a URL of the form /servlet/<FullyQualifiedServletClassName>. In standard Java EE security configurations, servlet access should be controlled by web application security constraints. However, the Invoker Servlet bypasses these constraints by providing direct access to servlet classes by name, regardless of what security restrictions the application's web.xml deployment descriptor specifies.

In SAP NetWeaver AS Java's default configuration, the Invoker Servlet was enabled and accessible without authentication. This allowed any HTTP client to:

1. Send a request to /servlet/com.sap.engine.services.servlets_jsp.server.deploy.impl.DeployServlet (or other administrative servlets)
2. The AS Java server would process the request as if it came from an authenticated administrator
3. The servlet could be used to deploy arbitrary WAR files to the server or invoke administrative operations

Deploying a malicious WAR file through the unauthenticated Invoker Servlet provided full code execution within the AS Java server's JVM. Since SAP NetWeaver AS Java processes are deeply integrated with SAP's business data layer, the execution context provides access to all SAP business data, integrated databases, and connected systems.

The Scope:Changed designation in the CVSS score reflects that a compromised SAP application server is not just a standalone system — it is the hub for an organization's most sensitive business processes and data. Impact extends to all SAP-connected systems, databases, business intelligence platforms, and third-party integrations.

Discovery

The Invoker Servlet attack surface was known to the SAP security research community for years before formal CVE assignment. SAP Security Note 1503579 (issued circa 2010) addressed the issue by disabling the Invoker Servlet in default configurations. However, formal CVE assignment did not occur until 2016 — six years later — following sustained research publication by SAP security specialists at firms including ERPScan and Onapsis, who systematically documented the exploitation of unpatched SAP systems.

Exploitation Context

SAP vulnerabilities represent a different threat model than typical server vulnerabilities:

• Highest-value enterprise targets: SAP systems contain an organization's complete financial, HR, supply chain, and operational data. Adversaries who compromise SAP infrastructure can extract year-over-year financial data, product roadmaps, employee information, and customer records — intelligence of extraordinary value for espionage or fraud.
• Nation-state exploitation: The US-CERT and CISA have issued multiple alerts specifically warning about state-sponsored actors targeting SAP systems. APT groups have demonstrated the ability to exploit SAP-specific vulnerabilities including CVE-2010-5326 for long-term persistent access to enterprise SAP environments.
• Pervasive deployment: SAP runs the financial systems of 92% of Forbes Global 2000 companies. A single CVE-10.0 vulnerability applicable to default SAP configurations represented an extraordinary attack surface against the world's largest and most strategically significant organizations.
• CVSS 10.0 rarity: The perfect CVSS 10.0 score reflects all possible severity dimensions simultaneously — network-reachable, no complexity, no credentials, no user interaction, and cross-system impact. Very few CVEs achieve this score; when applied to the most critical enterprise business system in global use, it represents an extraordinary risk.
• Long-term unpatched deployments: SAP patching cycles are complex and expensive — patches often require extensive testing in staging environments before production deployment. Many organizations ran unpatched SAP installations for years, particularly when SAP Security Note 1503579 required configuration changes rather than a simple software update.

Remediation

1. Apply SAP Security Note 1503579: Disable the Invoker Servlet in all SAP NetWeaver AS Java deployments. Follow SAP's instructions for the specific AS Java version in use.
2. Restrict SAP portal access: Place SAP NetWeaver AS Java behind network access controls that limit HTTP/HTTPS access to known trusted IP ranges. Never expose SAP administrative interfaces directly to the internet.
3. SAP security hardening: Follow SAP security hardening guidelines from SAP's own documentation and the DSAG (German SAP User Group) and ASUG security working groups.
4. Regular SAP patch cycles: Establish a regular cadence for applying SAP Security Notes. CISA and Onapsis provide threat intelligence on actively exploited SAP vulnerabilities to assist in prioritization.
5. SAP security monitoring: Deploy SAP-aware security monitoring tools (such as SAP Solution Manager's Security Optimization Service or third-party SAP SIEM integrations) to detect anomalous servlet invocations and administrative activity.
6. Network segmentation: Isolate SAP systems in dedicated network segments with firewall rules restricting lateral movement from compromised SAP servers to adjacent business systems.