vulnerability

SAP NetWeaver AS JAVA CVE-2016-2388: Exposure of Sensitive Information to an Unauthorized Actor

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Published

Feb 16, 2016

Added

Apr 1, 2025

Modified

Nov 6, 2025

Description

The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846.

Solution

sap-netweaver-as-java-upgrade-latest

References

CVE-2016-2388
https://attackerkb.com/topics/CVE-2016-2388
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2388

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report