CVE-2021-38163

CRITICAL KEV

SAP NetWeaver (Visual Composer 7.0 RT) - Command Injection

Title source: llm

Exploitation Summary

CVE-2021-38163 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 9, 2022. EIP tracks 2 public exploits from researchers including core1impact, purpleteam-ru.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-38163, targeting SAP NetWeaver Visual Composer. The exploit authenticates as a non-administrative user, uploads a malicious JSP file via a path traversal vulnerability, and executes arbitrary OS commands with the privileges of the Java Server process.

Description

SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.

Exploits (2)

nomisec WORKING POC 4 stars

by core1impact · remote-auth

https://github.com/core1impact/CVE-2021-38163

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-38163, targeting SAP NetWeaver Visual Composer. The exploit authenticates as a non-administrative user, uploads a malicious JSP file via a path traversal vulnerability, and executes arbitrary OS commands with the privileges of the Java Server process.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: SAP NetWeaver (Visual Composer 7.0 RT) versions 7.30, 7.31, 7.40, 7.50

Auth required

Prerequisites: Valid credentials for a non-administrative user · Network access to SAP NetWeaver ports (e.g., 50000, 50001, 50004, 50013, 50113)

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by purpleteam-ru · remote-auth

https://github.com/purpleteam-ru/CVE-2021-38163

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-38163, which targets SAP NetWeaver AS Java. The exploit leverages path traversal and file upload vulnerabilities to achieve remote code execution by deploying a malicious JSP file.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: SAP NetWeaver AS Java (versions before October 2021 security patch)

Auth required

Prerequisites: Valid credentials for SAP NetWeaver AS Java · Network access to the target system

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Broken Link, Vendor Advisory x_refsource_misc

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405

Permissions Required x_refsource_misc

https://launchpad.support.sap.com/#/notes/3084487

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38163

Scores

CVSS v3 9.9

EPSS 0.3715

EPSS Percentile 98.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-06-09

VulnCheck KEV 2022-06-09

InTheWild.io 2022-06-09

ENISA EUVD EUVD-2021-24633

CWE

CWE-22

Status published

Products (4)

sap/netweaver 7.30

sap/netweaver 7.31

sap/netweaver 7.40

sap/netweaver 7.50

Published Sep 14, 2021

KEV Added Jun 09, 2022

Tracked Since Feb 18, 2026