CVE-2016-2386

high-risk
Published 2016-02-16

SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.

Do I need to act?

!
44.0% chance of exploitation in next 30 days
EPSS score — higher than 56% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
!
2 public exploits available
43495, 39840
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Sap

References (15)

Exploit http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Inject...
Exploit http://seclists.org/fulldisclosure/2016/May/56
Broken Link https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vul...
Broken Link https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/
Exploit https://github.com/vah13/SAP_exploit
Exploit https://www.exploit-db.com/exploits/39840/
Exploit https://www.exploit-db.com/exploits/43495/
Exploit http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Inject...
Exploit http://seclists.org/fulldisclosure/2016/May/56
Broken Link https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vul...
Broken Link https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/
Exploit https://github.com/vah13/SAP_exploit
Exploit https://www.exploit-db.com/exploits/39840/
Exploit https://www.exploit-db.com/exploits/43495/
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-...
61
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 24/34 · High
Exposure 5/34 · Minimal