CVE-2025-42999
Published: 13 May 2025
Summary
CVE-2025-42999 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Sap Netweaver. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization flaw tracked as CVE-2025-42999 and CWE-502. A privileged user can upload untrusted or malicious serialized content that the component processes without adequate validation, resulting in a complete compromise of the host system's confidentiality, integrity, and availability. The vulnerability carries a CVSS 3.1 score of 9.1 with network attack vector, low complexity, high privileges required, and changed scope.
An authenticated attacker with administrative access can supply crafted metadata that executes arbitrary code upon deserialization, allowing takeover of the affected SAP system and potential lateral movement within the environment. No user interaction is needed beyond the initial privileged upload.
SAP has published note 3604119 and addressed the issue through its regular security patch day cycle. The vulnerability also appears in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild activity.
EPSS for the CVE rose from lower values to a peak of 0.7025 on 2026-03-09 before receding to the current 0.3857, demonstrating increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-14349
Vulnerability details
SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.
- CWE(s)
- KEV Date Added
- 15 May 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks deserialization of untrusted serialized content uploaded to the Visual Composer Metadata Uploader before it can be processed.
Restricts the administrative privileges required to reach the Metadata Uploader, reducing the attack surface for the high-privilege deserialization flaw.
Provides malicious-code scanning and execution controls that can intercept or alert on the RCE payload delivered via crafted serialized data.