CVE DATABASE / CVE-2021-38163
CVE-2021-38163
SAP NetWeaver Unrestricted File Upload Vulnerability
Confirmed exploited in the wild. Added 2022-06-09.
Federal remediation due 2022-06-30.
Required action: Apply updates per vendor instructions.
Summary
SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.
CVSS 3.1 breakdown
| Base score | 9.9 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | LOW |
| User interaction | NONE |
| Scope | CHANGED |
| Confidentiality | HIGH |
| Integrity | HIGH |
| Availability | HIGH |
Weakness type (CWE)
Affected products
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- https://launchpad.support.sap.com/#/notes/3084487
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38163
Data: NIST NVD + CISA KEV. NVD last modified 2026-02-25. Always verify against the vendor advisory before acting.