šŸ”“ CVE-2025-42999

Critical insecure deserialization vulnerability in SAP NetWeaver Visual Composer development server that allows privileged users to upload malicious content leading to complete system compromise. CISA KEV listing indicates active exploitation in the wild.

ā† Back to Overview
HIGH_RISK
Risk Level
9.1
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 ā€” Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

šŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-05-13

Added to CISA KEV: 2025-05-15 2 DAYS BETWEEN CVE AND KEV

šŸŽÆ Recommendations:

šŸ” Web Intelligence (Kagi Ā· 2026-06-04)

CVE-2025-42999 is a critical security vulnerability affecting the SAP NetWeaver Visual Composer component. Below is a summary of the known details regarding this flaw.

Vulnerability Overview
CVE-2025-42999 is an insecure deserialization vulnerability within the SAP NetWeaver Visual Composer development server [1]. It allows a user with specific upload permissionsā€”or in some scenarios, a privileged userā€”to upload untrusted or malicious content [5] [4].
Exploitation and Attack Details
  • Active Exploitation: The vulnerability has been observed being actively exploited in the wild [2] [3].
  • Attack Method: Attackers have been known to chain this vulnerability with other flaws, such as the unauthenticated file upload vulnerability CVE-2025-31324, to breach SAP systems [2].
  • Impact: Successful exploitation allows for remote code execution (RCE), enabling attackers to take over the host system, steal sensitive data, or disrupt operations [4] [2].
  • Exploit Availability: There have been reports of attackers testing exploits for this vulnerability in the wild, indicating that functional exploit code exists and has been utilized by threat actors [3].
Mitigation and Patch Status
  • Patch Status: SAP has released security patches to address this vulnerability. Organizations using SAP NetWeaver are strongly advised to consult the official SAP Security Patch Day bulletins for 2025 to identify and apply the necessary updates (specifically referencing SAP Security Note 3604119) [1].
  • Mitigation: Beyond applying the official patches, organizations should restrict upload permissions for the Visual Composer component to only trusted, authorized users and monitor for suspicious file upload activity or unauthorized deserialization attempts.

Sources

  1. SAP Security Patch Day Bulletins - 2025 - SAP Support Portal

    3604119. [CVE-2025-42999] Insecure Deserialization in SAP NetWeaver (Visual Composer development server) ... Related CVE - CVE-2025-30009, CVE- ...

  2. SAP patches second zero-day flaw exploited in recent attacks

    CVE-2025-42999 is a vulnerability in SAP NetWeaver that allows attackers to execute arbitrary commands remotely. It was chained with another unauthenticated file upload flaw (CVE-2025-31324) to breach SAP systems and upload web shells.

  3. Active Exploitation of CVE-2025-31324 and CVE-2025-42999 in the ...

    Active exploitation of SAP MetadataUploader flaws CVE-2025-31324 & CVE-2025-42999 shows early attacker testing before public exploits.

  4. CVE-2025-42999 - SAP NetWeaver Visual Composer Metadata Uploader ...

    CVE-2025-42999 is a newly discovered vulnerability in SAP NetWeaver Visual Composer (VC). This vulnerability lets a user with upload permissionsā€”sometimes even an internal or privileged userā€”upload harmful files. When these files are deserialized by the system, an attacker can potentially take overā€¦

  5. CVE-2025-42999 Detail - NVD

    SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

šŸ“„ Download JSON Data | šŸ“” RSS Feed