Is CVE-2021-38163 actively exploited?

CVE-2021-38163 has no public evidence of in-the-wild exploitation as of 2025-11-03.

What is the CVSS score for CVE-2021-38163?

CVE-2021-38163 has a CVSS score of 9.9 (CRITICAL severity). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

How do I patch CVE-2021-38163?

Patch guidance is available from sap security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2021-38163.

Fix CVE-2021-38163 - CRITICAL sap netweaver

Q: Which products are affected by CVE-2021-38163?

4 products: sap netweaver, sap netweaver, sap netweaver, sap netweaver.

Description

SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector: network
Complexity: low
Privileges: low
User Action: none
Scope: changed
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: CWE-22 · Path Traversal CWE-22 · Path Traversal

Metadata

Primary Vendor: SAP
Published: 9/14/2021
Last Modified: 11/3/2025
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

CVE-2021-38163

Description

CVSS Metrics

Metadata

Affected Products

Remediation Guidance

Executive Summary