CVE-2025-42999 – CVE-2025-42999 is a deserialization vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-42999?

CVE-2025-42999 has a CVSS score of 9.1 (CRITICAL). CVE-2025-42999 is a deserialization vulnerability in SAP NetWeaver Visual Composer Metadata Uploader that allows privileged users to upload malicious content, potentially leading to remote code execution. This affects SAP systems with the vulnerable component enabled. Attackers could compromise the confidentiality, integrity, and availability of the host system.

📋 TL;DR

CVE-2025-42999 is a deserialization vulnerability in SAP NetWeaver Visual Composer Metadata Uploader that allows privileged users to upload malicious content, potentially leading to remote code execution. This affects SAP systems with the vulnerable component enabled. Attackers could compromise the confidentiality, integrity, and availability of the host system.

💻 Affected Systems

Products:

SAP NetWeaver Visual Composer

Versions: Specific versions not detailed in CVE; check SAP Note 3604119 for exact affected versions

Operating Systems: All platforms running SAP NetWeaver

Default Config Vulnerable: ⚠️ Yes

Notes: Requires privileged user access to the Visual Composer Metadata Uploader component

📦 What is this software?

Netweaver by Sap

View all CVEs affecting Netweaver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution, data exfiltration, and persistent backdoor installation

🟠

Likely Case

Privilege escalation leading to unauthorized access to sensitive business data and system manipulation

🟢

If Mitigated

Limited impact with proper access controls and monitoring, potentially only affecting non-critical components

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires privileged user credentials; similar SAP vulnerabilities have been actively exploited

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Security Note 3604119

Vendor Advisory: https://me.sap.com/notes/3604119

Restart Required: Yes

Instructions:

1. Download SAP Security Note 3604119 from SAP Support Portal
2. Apply the note using SAP Note Assistant or transaction SNOTE
3. Restart affected SAP systems
4. Verify the patch is applied correctly

🔧 Temporary Workarounds

Restrict Access to Visual Composer

all

Limit access to the Visual Composer Metadata Uploader component to only essential users

Implement Input Validation

all

Add additional validation for uploaded metadata files before processing

🧯 If You Can't Patch

Implement strict access controls to limit privileged user access to the vulnerable component
Monitor and audit all metadata upload activities for suspicious patterns

🔍 How to Verify

Check if Vulnerable:

Check if SAP Security Note 3604119 is applied using transaction SNOTE or check system version against affected versions in SAP advisory

Check Version:

Use SAP transaction SM51 or check system information in SAP GUI

Verify Fix Applied:

Verify SAP Note 3604119 is successfully applied and no errors in system logs related to Visual Composer

📡 Detection & Monitoring

Log Indicators:

Unusual metadata upload activities
Errors in Visual Composer logs
Privileged user accessing upload functionality outside normal patterns

Network Indicators:

Unusual traffic to Visual Composer endpoints
Large metadata file uploads

SIEM Query:

source="sap_logs" AND (event="metadata_upload" OR component="visual_composer") AND user="privileged_user"

📊 Metadata

CVE ID: CVE-2025-42999

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 65.71% exploit probability (98.5th percentile)

CISA KEV: Actively Exploited added May 15, 2025

Published: May 13, 2025

Last Updated: October 31, 2025

🔗 References

https://me.sap.com/notes/3604119 Permissions Required
https://url.sap/sapsecuritypatchday Vendor Advisory
https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ Exploit,Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-42999 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-42999, you might also want to check these: