CVE-2021-38163

CRITICAL KEV

SAP NetWeaver (Visual Composer 7.0 RT) - Command Injection

Title source: llm

Description

SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.

Exploits (2)

nomisec WORKING POC 4 stars

by core1impact · remote-auth

https://github.com/core1impact/CVE-2021-38163

View Code ZIP pw:eip

nomisec WORKING POC

by purpleteam-ru · remote-auth

https://github.com/purpleteam-ru/CVE-2021-38163

View Code ZIP pw:eip

References (3)

[Permissions Required] https://launchpad.support.sap.com/#/notes/3084487

[Broken Link, Vendor Advisory] https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38163

Scores

CVSS v3 9.9

EPSS 0.8477

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

CISA KEV 2022-06-09

VulnCheck KEV 2022-06-09

InTheWild.io 2022-06-09

ENISA EUVD EUVD-2021-24633

CWE

CWE-22

Status published

Products (4)

sap/netweaver 7.30

sap/netweaver 7.31

sap/netweaver 7.40

sap/netweaver 7.50

Published Sep 14, 2021

KEV Added Jun 09, 2022

Tracked Since Feb 18, 2026