KEVIntel
Back to KEVs
9.9
CVSS
Critical

CVE-2021-38163

PUBLISHED

SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative...

Exploited in the wild Remote Low complexity No user interaction
Vendor
SAP SE
Product
SAP NetWeaver (Visual Composer 7.0 RT)
Published
Sep 14, 2021
EPSS

Description

SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.

java cisa

CVSS scores

CVSS v3.1 9.9 Critical

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Exploitation status

Exploited in the wild

Recorded 2022-06-09 00:00:00 UTC · Source

SSVC decision points

Exploitation
active
Automatable
No
Technical impact
total

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
CISA Jun 09, 2022

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

core1impact/CVE-2021-38163

github · Created 2022-09-10 03:41:52 UTC · 3 stars

CVE-2021-38163 - exploit for SAP Netveawer

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel