Cyber Resilience

CVE-2025-42999

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 13 May 2025

Published
13 May 2025
Modified
31 October 2025
KEV Added
15 May 2025
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.3857 97.3th percentile
Risk Priority 61 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-42999 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Sap Netweaver. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization flaw tracked as CVE-2025-42999 and CWE-502. A privileged user can upload untrusted or malicious serialized content that the component processes without adequate validation, resulting in a complete compromise of the host system's confidentiality, integrity, and availability. The vulnerability carries a CVSS 3.1 score of 9.1 with network attack vector, low complexity, high privileges required, and changed scope.

An authenticated attacker with administrative access can supply crafted metadata that executes arbitrary code upon deserialization, allowing takeover of the affected SAP system and potential lateral movement within the environment. No user interaction is needed beyond the initial privileged upload.

SAP has published note 3604119 and addressed the issue through its regular security patch day cycle. The vulnerability also appears in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild activity.

EPSS for the CVE rose from lower values to a peak of 0.7025 on 2026-03-09 before receding to the current 0.3857, demonstrating increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

CWE(s)
KEV Date Added
15 May 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sap
netweaver
7.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks deserialization of untrusted serialized content uploaded to the Visual Composer Metadata Uploader before it can be processed.

prevent

Restricts the administrative privileges required to reach the Metadata Uploader, reducing the attack surface for the high-privilege deserialization flaw.

preventdetect

Provides malicious-code scanning and execution controls that can intercept or alert on the RCE payload delivered via crafted serialized data.

References