SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.
Conclusion & alert: CVE-2021-38163 is rated Critical Active Threat (94/100): CVSS Critical severity, with high exploitation likelihood (EPSS 37.15%, 98th percentile).Core evidence: CISA KEV confirms active exploitation (added 2022-06-09) affecting SAP / NetWeaver. a weakness (CWE-22) Unauthenticated remote administrative access may be possible.Mandatory action: The CISA remediation deadline has passed—treat as an emergency patch priority.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
Required action: Apply updates per vendor instructions.
Exploit prediction scoring system (EPSS) score for CVE-2021-38163
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).