CVE-2021-38163

critical-risk
Published 2021-09-14

SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.

Do I need to act?

!
84.8% chance of exploitation in next 30 days
EPSS score — higher than 15% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.9/10 Critical
NETWORK / LOW complexity

Affected Products (4)

Affected Vendors

Sap

References (5)

Permissions Required https://launchpad.support.sap.com/#/notes/3084487
Broken Link https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405
Permissions Required https://launchpad.support.sap.com/#/notes/3084487
Broken Link https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405
US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-...
70
/ 100
critical-risk
Severity 33/34 · Critical
Exploitability 27/34 · High
Exposure 10/34 · Low