CVE-2025-42999

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-42999
SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

9.1 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://me.sap.com/notes/3604119 Permissions Required
https://url.sap/sapsecuritypatchday Not Applicable
https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ Exploit Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-42999
Configurations

Configuration 1 (hide)

cpe:2.3:a:sap:netweaver:7.5:*:*:*:*:*:*:*
History

21 Oct 2025, 23:17

Type Values Removed Values Added
References
  • () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-42999 -

21 Oct 2025, 20:20

Type Values Removed Values Added
References
  • {'url': 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-42999', 'source': '134c704f-9b21-4f2e-91b3-4a467353bcc0'}

21 Oct 2025, 19:21

Type Values Removed Values Added
References
  • () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-42999 -

16 May 2025, 19:44

Type Values Removed Values Added
First Time Sap
Sap netweaver
References () https://me.sap.com/notes/3604119 - () https://me.sap.com/notes/3604119 - Permissions Required
References () https://url.sap/sapsecuritypatchday - () https://url.sap/sapsecuritypatchday - Not Applicable
References () https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ - () https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ - Exploit, Third Party Advisory
CPE cpe:2.3:a:sap:netweaver:7.5:*:*:*:*:*:*:*

13 May 2025, 17:16

Type Values Removed Values Added
Summary
  • (es) SAP NetWeaver Visual Composer Metadata Uploader es vulnerable cuando un usuario privilegiado puede cargar contenido malicioso o no confiable que, al deserializarse, podría comprometer la confidencialidad, integridad y disponibilidad del sistema host.
References
  • () https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ -

13 May 2025, 03:15

Type Values Removed Values Added
Summary (en) SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.Note: Customers who have implemented the security note 3594142 should also implement this security note 3604119. (en) SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

13 May 2025, 01:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-05-13 01:15

Updated : 2025-10-21 23:17

NVD link : CVE-2025-42999

Mitre link : CVE-2025-42999

CVE.ORG link : CVE-2025-42999

JSON object : View

Products Affected

sap

  • netweaver
CWE
CWE-502

Deserialization of Untrusted Data