Vulnerability in SAP NetWeaver Visual Composer's Metadata Uploader
CVE-2025-42999

9.1CRITICAL

Key Information:

Vendor: SAP
Status: SAP Netweaver (visual Composer Development Server)
Vendor: CVE Published:; 13 May 2025

Badges

📰 News Worthy

What is CVE-2025-42999?

A flaw in the SAP NetWeaver Visual Composer’s Metadata Uploader allows privileged users to upload potentially harmful content. When this content is deserialized, it can compromise the confidentiality, integrity, and availability of the host system. This vulnerability highlights the need for stringent input validation and content verification protocols to protect against unauthorized access and system exploitation.

Affected Version(s)

SAP NetWeaver (Visual Composer development server) VCFRAMEWORK 7.50

News Articles

BleepingComputer

CVE-2025-31324 CVE-2025-42999

SAP patches second zero-day flaw exploited in recent attacks

SAP has released patches to address a second vulnerability exploited in recent attacks targeting SAP NetWeaver servers as a zero-day.

5 hours ago

thmubnail image

References

https://me.sap.com/notes/3604119

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

📰
First article discovered by BleepingComputer
May 13, 2025
Vulnerability published
May 13, 2025
Vulnerability Reserved
Apr 16, 2025

.

CVE-2025-42999 : Vulnerability in SAP NetWeaver Visual Composer's Metadata Uploader