CVE-2021-38163

What is SAP NetWeaver?

SAP NetWeaver is the foundational technology platform for SAP enterprise applications, including SAP ERP, SAP S/4HANA, SAP BW, and many other SAP systems. It provides the application server, development environment, and middleware layer for the SAP ecosystem. SAP NetWeaver systems contain an organization's most sensitive business data — financial records, HR data, supply chain information, customer databases — making them extremely high-value targets. SAP NetWeaver vulnerabilities are consistently exploited by sophisticated threat actors targeting enterprise business data.

Overview

CVE-2021-38163 is a critical unrestricted file upload vulnerability (CWE-22) in SAP NetWeaver. An authenticated user with only low-level privileges can upload files to arbitrary locations on the NetWeaver application server filesystem without restriction. By uploading a webshell (e.g., a JSP or ABAP script) to a web-accessible directory, an authenticated low-privilege user can achieve code execution on the server with the privileges of the NetWeaver application process. SAP patched this in September 2021; CISA added it to KEV in June 2022.

Affected Versions

Technical Details

The vulnerability exists in a SAP NetWeaver component that handles file operations. The file upload functionality does not adequately restrict the destination path, allowing an authenticated low-privilege user to write files to locations outside the intended scope:

• Authentication required: Low — any valid SAP NetWeaver user account, including low-privilege accounts
• Path restriction: None — the attacker can specify paths that resolve outside the intended upload directory
• Webshell deployment: Uploading a JSP script to a Tomcat-accessible directory (NetWeaver uses Java-based application server components) provides arbitrary code execution via HTTP
• Execution context: Code executes as the SAP NetWeaver application server service account — typically a highly privileged account with access to SAP databases and file systems
• CVSS 9.9: The "Scope Changed" metric reflects that code execution on the NetWeaver application server provides access to the entire SAP system and connected business data

Discovery

Identified through SAP's internal security review and disclosed via the September 2021 SAP Patch Day.

Exploitation Context

SAP systems are high-priority targets for both nation-state actors (seeking business intelligence) and financially motivated criminals (data theft and ransomware). Threat actors with access to even a low-privilege SAP user account — obtainable through phishing, credential stuffing, or purchase on criminal markets — could exploit this to escalate to full NetWeaver server compromise. The CISA KEV addition in June 2022 reflects confirmed exploitation against unpatched SAP NetWeaver installations.

Remediation

1. Apply SAP Security Note 3059926 via SAP Maintenance Planner or SPAM (SAP Patch Manager)
2. Review SAP system for unauthorized files in web-accessible directories
3. Restrict file upload functionality to authorized users with genuine business need
4. Monitor SAP system logs for unusual file operations or requests to uploaded files
5. Apply SAP's recommended security hardening guidelines (SAP Security Baseline) to limit the impact of any future file upload abuse
6. Regularly audit SAP user accounts and access rights — low-privilege accounts should have only the minimum required authorizations