CVE-2025-42999
published 2025-05-13CVE-2025-42999: SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could…
PriorityP187critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2025-06-05
Exploited in the wild
EPSS
11.22%
95.4th percentile
SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sap | netweaver | — | — |
| sap_se | sap_netweaver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor SAP NetWeaver servers for JSP web shell uploads (specifically helper.jsp and cache.jsp) in public directories as indicators of active exploitation of this vulnerability chain. ↗
- →RansomEXX/Storm-2460 deployed the PipeMagic modular backdoor and exploited CVE-2025-29824 (Windows CLFS) as a follow-on after initial SAP NetWeaver compromise — monitor for PipeMagic and MSBuild inline task execution post-exploitation. ↗
- →Post-exploitation activity included deployment of Brute Ratel C2 framework via inline MSBuild task execution — monitor for msbuild.exe spawning unusual child processes on SAP NetWeaver hosts. ↗
- →Check Point IPS signatures are available for detection: 'SAP NetWeaver Remote Code Execution (CVE-2025-31324)', 'Ransomware.Win.Ransomexx.glat', 'Ransomware.Wins.BianLian.ta.*', 'Ransomware.Wins.BianLian', 'Backdoor.Wins.BianLian', 'HackTool.Wins.BianLian'. ↗
- →CVE-2025-42999 is only exploitable by users with the 'VisualComposerUser' role on the SAP target system — audit and restrict assignment of this role as a compensating control. ↗
- →Forescout identified at least 581 backdoored SAP NetWeaver instances and ~1,800 additional domains targeted; cross-reference exposed SAP NetWeaver instances against Shadowserver's tracking of 204+ vulnerable internet-exposed servers. ↗
- ·CVE-2025-42999 was NOT addressed by the original out-of-band patch for CVE-2025-31324 (SAP note 3594142); a separate patch (SAP note 3604119, released May 13, 2025) is required to remediate the deserialization vulnerability. ↗
- ·SAP security note 3604119 (patch for CVE-2025-42999) requires an authenticated SAP account to access; organizations must log in to me.sap.com to retrieve and apply the patch. ↗
- ·Even fully patched SAP NetWeaver instances were found to be compromised, indicating zero-day exploitation prior to patch availability; patching alone may be insufficient without forensic investigation of existing systems. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vulncheck9.1CRITICAL
cisa9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rgq9-rg7j-xm4x: SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialize
ghsa_unreviewed·2025-05-13
CVE-2025-42999 [CRITICAL] CWE-502 GHSA-rgq9-rg7j-xm4x: SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialize
SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.
VulnCheck
SAP NetWeaver Deserialization Vulnerability
vulncheck·2025·CVSS 9.1
CVE-2025-42999 [CRITICAL] CWE-502 SAP NetWeaver Deserialization Vulnerability
SAP NetWeaver Deserialization Vulnerability
SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content.
Affected: SAP NetWeaver
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://onapsis.com/blog/new-exploit-for-cve-2025-31324/; ht
CISA
SAP NetWeaver Deserialization Vulnerability
cisa·2025-05-15·CVSS 9.1
CVE-2025-42999 [CRITICAL] CWE-502 SAP NetWeaver Deserialization Vulnerability
Vulnerability: SAP NetWeaver Deserialization Vulnerability
Affected: SAP NetWeaver
SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: SAP users must have an account to log in and access the patch: https://me.sap.com/notes/3604119 ; https://nvd.nist.gov/vuln/detail/CVE-2025-42999
Remediation Due Date: 2025-06-05
No detection rules found.
No public exploits indexed.
Checkpoint
19th May – Threat Intelligence Report
blogs_checkpoint·2025-05-19
CVE-2025-31324 19th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 19th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 19th May, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Fashion giant Dior confirmed a data breach that exposed customer information from its Fashion and Accessories line. The leaked data includes names, gender, phone numbers, email addresses, postal addresses, and purchase history with customers in South Korea and China most affected. Specific details regarding the quantity and addit
Bleepingcomputer
Ransomware gangs join ongoing SAP NetWeaver attacks
blogs_bleepingcomputer·2025-05-14·CVSS 7.8
CVE-2025-31324 [HIGH] Ransomware gangs join ongoing SAP NetWeaver attacks
## Ransomware gangs join ongoing SAP NetWeaver attacks
## Sergiu Gatlan
Ransomware gangs have joined ongoing SAP NetWeaver attacks, exploiting a maximum-severity vulnerability that allows threat actors to gain remote code execution on vulnerable servers.
SAP released emergency patches on April 24 to address this NetWeaver Visual Composer unauthenticated file upload security flaw ( CVE-2025-31324 ), days after it was first tagged by cybersecurity company ReliaQuest as targeted in the wild.
Successful exploitation lets threat actors upload malicious files without requiring login credentials, potentially leading to complete system compromise.
Today, in an update to their original advisory, ReliaQuest revealed that the RansomEXX and BianLian ransomware operations have also joined these at
Bleepingcomputer
SAP patches second zero-day flaw exploited in recent attacks
blogs_bleepingcomputer·2025-05-13·CVSS 10.0
CVE-2025-42999 [CRITICAL] SAP patches second zero-day flaw exploited in recent attacks
## SAP patches second zero-day flaw exploited in recent attacks
## Sergiu Gatlan
SAP has released patches to address a second vulnerability exploited in recent attacks targeting SAP NetWeaver servers as a zero-day.
The company issued security updates for this security flaw ( CVE-2025-42999 ) on Monday, May 12, saying it was discovered while investigating zero-day attacks involving another unauthenticated file upload flaw (tracked as CVE-2025-31324 ) in SAP NetWeaver Visual Composer that was fixed in April.
"SAP is aware of and has been addressing vulnerabilities in SAP NETWEAVER Visual Composer," a SAP spokesperson told BleepingComputer. "We ask all customers using SAP NETWEAVER to install these patches to protect themselves. The Security Notes can be found here: 3594142 & 3604119 ."
Tenable
CVE-2025-31324: Zero-Day Vulnerability in SAP NetWeaver Exploited in the Wild
blogs_tenable·2025-04-25·CVSS 10.0
[CRITICAL] CVE-2025-31324: Zero-Day Vulnerability in SAP NetWeaver Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
2025-05-13
Published
2025-05-15
Added to CISA KEV
Exploited in the wild