Cyber Resilience

CVE-2016-2386

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 16 February 2016

Published
16 February 2016
Modified
21 April 2026
KEV Added
09 June 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4446 97.6th percentile
Risk Priority 66 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-2386 is a critical-severity SQL Injection (CWE-89) vulnerability in Sap Netweaver Application Server Java. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a SQL injection flaw, identified as CWE-89, in the UDDI server component of SAP NetWeaver J2EE Engine 7.40. It enables remote attackers to execute arbitrary SQL commands through unspecified vectors and carries a CVSS 3.1 base score of 9.8 reflecting network-accessible exploitation without authentication or user interaction.

Remote unauthenticated attackers can leverage the flaw to run arbitrary SQL statements against the backend database, resulting in impacts across confidentiality, integrity, and availability that may include data exfiltration, modification, or service disruption.

SAP addressed the issue via Security Note 2101079; public references including exploit code on GitHub and detailed disclosures on Packet Storm and ERPScan indicate that proof-of-concept attacks have been available since the February 2016 publication.

EU & UK References

Vulnerability details

SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.

CWE(s)
KEV Date Added
09 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sap
netweaver application server java
7.40

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to the UDDI interface, blocking the unsanitized vectors that enable arbitrary SQL execution.

prevent

Mandates timely application of the SAP Security Note 2101079 patch that eliminates the CWE-89 flaw.

prevent

Boundary-protection mechanisms (e.g., WAF rules) can inspect and drop SQL-injection payloads before they reach the vulnerable J2EE UDDI endpoint.

References