cbcvebase.
CVE-2021-38163
published 2021-09-14

CVE-2021-38163: SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can…

PriorityP186high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-30
Exploited in the wild
EPSS
37.15%
98.3th percentile
SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.

Affected

8 ranges
VendorProductVersion rangeFixed in
sapnetweaver
sapnetweaver
sapnetweaver
sapnetweaver
sap_sesap_netweaver
sap_sesap_netweaver
sap_sesap_netweaver
sap_sesap_netweaver

Detection & IOCsextracted from sources · hover to see the quote

url/irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.VCParMigrator|3f|
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SAP NetWeaver Application Server Java Post-Auth Arbitrary File Upload (CVE-2021-38163)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.VCParMigrator|3f|"; fast_pattern; content:"parName|3d|"; pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,github.com/purpleteam-ru/CVE-2021-38163; reference:cve,2021-38163; classtype:web-application-attack; sid:2061735; rev:1; metadata:affected_product SAP, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_18, cve CVE_2021_38163, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Look for HTTP GET requests targeting the VCParMigrator servlet endpoint with a 'parName' parameter containing path traversal sequences (dot-dot-slash variants, URL-encoded or plain) — the PCRE pattern matches two or more consecutive traversal segments.
  • The exploit is post-authentication (non-admin user sufficient); monitor for authenticated low-privilege accounts uploading files via the Visual Composer endpoint, followed by OS command execution under the Java Server process account.
  • Deploy the Snort/Suricata rule (SID 2061735) at perimeter, internal, and TLS-decryption inspection points to catch exploit attempts in both cleartext and decrypted TLS traffic.
  • Reference PoC/exploit code is publicly available; threat-hunt for exploitation attempts originating from this repository.
  • ·Affected versions are specifically Visual Composer 7.0 RT versions 7.30, 7.31, 7.40, and 7.50 — scope detection rules to these versions to reduce false positives.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck9.9CRITICAL
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.