File Upload Vulnerability in SAP NetWeaver Visual Composer by SAP
CVE-2021-38163
Key Information:
- Vendor
SAP
- Vendor
- CVE Published:
- 14 September 2021
Badges
What is CVE-2021-38163?
A flaw exists in the SAP NetWeaver Visual Composer that permits an authenticated non-administrative user to upload a malicious file over the network. Once uploaded, the file can be processed, allowing the attacker to execute operating system commands with the privileges of the Java Server process. This vulnerability can lead to unauthorized access to information, data manipulation, or even denial of service by making the server unavailable.
CISA has reported CVE-2021-38163
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2021-38163 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply updates per vendor instructions.
Affected Version(s)
SAP NetWeaver (Visual Composer 7.0 RT) 7.30
SAP NetWeaver (Visual Composer 7.0 RT) 7.31
SAP NetWeaver (Visual Composer 7.0 RT) 7.40
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
EPSS Score
88% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
- 🦅
CISA Reported
Vulnerability published
Vulnerability Reserved