CVE-2025-42999

Insecure Deserialization in SAP NetWeaver (Visual Composer development server)

CVSS 9.1 CRITICALEPSS 11.2%● KEVCWE-502

In short

SAP NetWeaver's Visual Composer allows an attacker with upload privileges to inject malicious code through insecure deserialization, which runs automatically when the system processes the uploaded file and could compromise the entire server.

Technical detail

CWE-502 insecure deserialization in SAP NetWeaver Visual Composer Metadata Uploader permits authenticated users to upload crafted serialized objects that execute arbitrary code upon deserialization, requiring elevated privileges but resulting in full system compromise (confidentiality, integrity, availability impact).

Summary generated and translated by AI from the official description.

SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected products

SAP_SE · SAP NetWeaver (Visual Composer development server)

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://me.sap.com/notes/3604119 https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/https://url.sap/sapsecuritypatchday https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-42999