⚠ Actively exploited
Added to CISA KEV on 2022-06-09. Federal agencies required to patch by 2022-06-30. Required action: Apply updates per vendor instructions..

CVE-2021-38163Path Traversal in SE SAP Netweaver

CWE-22Path TraversalCWE-23Relative Path TraversalCWE-434Unrestricted File UploadCWE-78OS Command Injection6 documents6 sources
Severity
8.8HIGHNVD
CNA9.9VulnCheck9.9
EPSS
84.8%
top 0.66%
CISA KEV
KEV
Added 2022-06-09
Due 2022-06-30
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
SAP SE SAP NetweaverSAP Netweaver
Timeline
PublishedSep 14
KEV addedJun 9
KEV dueJun 30
Latest updateApr 18
CISA Required Action: Apply updates per vendor instructions.

Description

SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDsap/netweaver4 versions+3
CVEListV5sap_se/sap_netweaver4 versions+3

🔴Vulnerability Details

3
GHSA
GHSA-px4v-wj8p-cq36: SAP NetWeaver (Visual Composer 72022-05-24
CVEList
CVE-2021-38163: SAP NetWeaver (Visual Composer 72021-09-14
VulnCheck
SAP NetWeaver Unrestricted File Upload Vulnerability2021

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS SAP NetWeaver Application Server Java Post-Auth Arbitrary File Upload (CVE-2021-38163)2025-04-18

📋Vendor Advisories

1
CISA
SAP NetWeaver Unrestricted File Upload Vulnerability2022-06-09
CVE-2021-38163 — Path Traversal in SAP SE SAP Netweaver | cvebase