CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2021-38163

CVSS 9.9v3.1pub. 2021-09-14upd. 2026-02-25

SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Sap Netweaver

    APP
    Sap
    7.307.317.407.50

CISA KEV — detailsi

Vendori
SAP
Producti
NetWeaver
Added to KEVi
June 9, 2022
Remediation deadline (US Federal)i
June 30, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

SAP NetWeaver contains a vulnerability that allows unrestricted file upload.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 30 czerwca 2022
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2025-42999CRITICAL9.1⚠ KEVPL ✓ten sam produkt

SAP NetWeaver Visual Composer — niebezpieczna deserializacja treści

CVE-2025-31324CRITICAL10.0⚠ KEVPL ✓ten sam produkt

SAP NetWeaver: nieautoryzowany upload plików wykonywalnych w Visual Composer

CVE-2023-36922CRITICAL9.1ten sam produkt

Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an ...

CVE-2020-6203CRITICAL9.1ten sam produkt

SAP NetWeaver UDDI Server (Services Registry), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; allows an a...

CVE-2011-1517CRITICAL9.8ten sam produkt

SAP NetWeaver 7.0 allows Remote Code Execution and Denial of Service caused by an error in the DiagTraceHex() ...