CVE-2021-38163
published 2021-09-14CVE-2021-38163: SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can…
PriorityP186high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-30
Exploited in the wild
EPSS
37.15%
98.3th percentile
SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sap | netweaver | — | — |
| sap | netweaver | — | — |
| sap | netweaver | — | — |
| sap | netweaver | — | — |
| sap_se | sap_netweaver | — | — |
| sap_se | sap_netweaver | — | — |
| sap_se | sap_netweaver | — | — |
| sap_se | sap_netweaver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.VCParMigrator|3f|
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SAP NetWeaver Application Server Java Post-Auth Arbitrary File Upload (CVE-2021-38163)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.VCParMigrator|3f|"; fast_pattern; content:"parName|3d|"; pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,github.com/purpleteam-ru/CVE-2021-38163; reference:cve,2021-38163; classtype:web-application-attack; sid:2061735; rev:1; metadata:affected_product SAP, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_18, cve CVE_2021_38163, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Look for HTTP GET requests targeting the VCParMigrator servlet endpoint with a 'parName' parameter containing path traversal sequences (dot-dot-slash variants, URL-encoded or plain) — the PCRE pattern matches two or more consecutive traversal segments.
- →The exploit is post-authentication (non-admin user sufficient); monitor for authenticated low-privilege accounts uploading files via the Visual Composer endpoint, followed by OS command execution under the Java Server process account. ↗
- →Deploy the Snort/Suricata rule (SID 2061735) at perimeter, internal, and TLS-decryption inspection points to catch exploit attempts in both cleartext and decrypted TLS traffic.
- →Reference PoC/exploit code is publicly available; threat-hunt for exploitation attempts originating from this repository.
- ·Affected versions are specifically Visual Composer 7.0 RT versions 7.30, 7.31, 7.40, and 7.50 — scope detection rules to these versions to reduce false positives. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck9.9CRITICAL
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-px4v-wj8p-cq36: SAP NetWeaver (Visual Composer 7
ghsa_unreviewed·2022-05-24
CVE-2021-38163 [HIGH] CWE-22 GHSA-px4v-wj8p-cq36: SAP NetWeaver (Visual Composer 7
SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.
VulnCheck
SAP NetWeaver Unrestricted File Upload Vulnerability
vulncheck·2021·CVSS 9.9
CVE-2021-38163 [CRITICAL] CWE-23 SAP NetWeaver Unrestricted File Upload Vulnerability
SAP NetWeaver Unrestricted File Upload Vulnerability
SAP NetWeaver contains a vulnerability that allows unrestricted file upload.
Affected: SAP NetWeaver
Required Action: Apply updates per vendor instructions.
Exploitation References: https://onapsis.com/blog/three-actively-exploited-sap-vulnerabilities-identified-onapsis-research-labs; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.csoonline.com/article/2092336/sap-users-are-at-high-risk-as-hackers-exploit-application-vulnerabilities.html
Exploit PoC: https://vulncheck.com/xdb/f849d74a8cfd; https://vulncheck.com/xdb/f2e5e933e053
Remediation Due: 2022-06-30
CISA
SAP NetWeaver Unrestricted File Upload Vulnerability
cisa·2022-06-09·CVSS 8.8
CVE-2021-38163 [HIGH] CWE-23 SAP NetWeaver Unrestricted File Upload Vulnerability
Vulnerability: SAP NetWeaver Unrestricted File Upload Vulnerability
Affected: SAP NetWeaver
SAP NetWeaver contains a vulnerability that allows unrestricted file upload.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-38163
Remediation Due Date: 2022-06-30
Suricata
ET WEB_SPECIFIC_APPS SAP NetWeaver Application Server Java Post-Auth Arbitrary File Upload (CVE-2021-38163)
suricata·2025-04-18·CVSS 9.9
CVE-2021-38163 [CRITICAL] ET WEB_SPECIFIC_APPS SAP NetWeaver Application Server Java Post-Auth Arbitrary File Upload (CVE-2021-38163)
ET WEB_SPECIFIC_APPS SAP NetWeaver Application Server Java Post-Auth Arbitrary File Upload (CVE-2021-38163)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SAP NetWeaver Application Server Java Post-Auth Arbitrary File Upload (CVE-2021-38163)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.VCParMigrator|3f|"; fast_pattern; content:"parName|3d|"; pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,github.com/purpleteam-ru/CVE-2021-38163; reference:cve,2021-38163; classtype:web-application-attack; sid:2061735; rev:1; metadata:affected_product SAP, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_18, cve CVE_2021_38163, deployment P
No public exploits indexed.
No writeups or analysis indexed.
https://launchpad.support.sap.com/#/notes/3084487https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405https://launchpad.support.sap.com/#/notes/3084487https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38163
2021-09-14
Published
2022-06-09
Added to CISA KEV
Exploited in the wild