CyberSec.Space Logo
Back to CVE Browser

CVE-2021-38163

Known Exploited (CISA KEV)CRITICAL
9.9
CVSS Severity Score
EPSS Score66.6460%
EPSS Percentile93.36th
PublishedSep 14, 2021
Last ModifiedFeb 25, 2026

Vulnerability Description

SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.

Affected Platforms (CPE)

πŸ“¦
Sap

Netweaver

= 7.30
πŸ“¦
Sap

Netweaver

= 7.31
πŸ“¦
Sap

Netweaver

= 7.40
πŸ“¦
Sap

Netweaver

= 7.50

References & Advisories

πŸ”— https://launchpad.support.sap.com/#/notes/3084487
πŸ”— https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405
πŸ”— https://launchpad.support.sap.com/#/notes/3084487
πŸ”— https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405
πŸ”— https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38163

Related Vulnerabilities

CVE-2020-2682910.0

SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary connections fro...

CVE-2010-532610.0

The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, whic...

CVE-2020-628710.0

SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which...

CVE-2012-434110.0

Multiple stack-based buffer overflows in msg_server.exe in SAP NetWeaver ABAP 7.x allow remote attackers to cause a denial of serv...