Cyber Resilience

CVE-2021-38163

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 14 September 2021

Published
14 September 2021
Modified
25 February 2026
KEV Added
09 June 2022
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.8345 99.3th percentile
Risk Priority 90 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-38163 is a critical-severity Path Traversal (CWE-22) vulnerability in Sap Netweaver. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

SAP NetWeaver Visual Composer 7.0 RT in versions 7.30, 7.31, 7.40, and 7.50 contains a path traversal vulnerability that permits an authenticated non-administrative user to upload a malicious file over the network and trigger its processing on the server. The flaw allows the uploaded content to execute operating system commands under the privileges of the Java Server process, enabling arbitrary actions on the underlying host.

An attacker with low-privileged network access can leverage the issue to read or modify any data on the server and to shut the server down, resulting in a complete loss of confidentiality, integrity, and availability with a CVSS score of 9.9. Because the scope is changed, the compromise extends beyond the vulnerable component to the broader operating system environment.

SAP security notes 3084487 and the associated SCN wiki pages describe the available patches and configuration guidance, while the vulnerability appears in CISA’s catalog of known exploited vulnerabilities, indicating confirmed real-world exploitation.

EU & UK References

Vulnerability details

SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system…

more

commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.

CWE(s)
KEV Date Added
09 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sap
netweaver
7.30, 7.31, 7.40, 7.50

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents non-administrative users from being granted the ability to upload files and trigger OS command execution under Java Server privileges.

prevent

Enforces access control policies that deny low-privileged authenticated users the operations of malicious file upload and processing.

prevent

Requires validation of all input (including file paths and content) to block the path traversal and arbitrary command execution vector.

References