⚠ Actively exploited
Added to CISA KEV on 2025-05-15. Federal agencies required to patch by 2025-06-05. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2025-42999

CWE-502Deserialization of Untrusted Data6 documents6 sources
Severity
9.1CRITICAL
EPSS
50.3%
top 2.16%
CISA KEV
KEV
Added 2025-05-15
Due 2025-06-05
Exploit
No known exploits
Affected products
2
SAP SE SAP Netweaver (visual Composer Development Server)SAP Netweaver
Timeline
PublishedMay 13
KEV addedMay 15
KEV dueJun 5
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages2 packages

NVDsap/netweaver7.5

🔴Vulnerability Details

3
CVEList
Insecure Deserialization in SAP NetWeaver (Visual Composer development server)2025-05-13
GHSA
GHSA-rgq9-rg7j-xm4x: SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialize2025-05-13
VulnCheck
SAP NetWeaver Deserialization Vulnerability2025

📋Vendor Advisories

1
CISA
SAP NetWeaver Deserialization Vulnerability2025-05-15

🕵️Threat Intelligence

1
Bleepingcomputer
SAP patches second zero-day flaw exploited in recent attacks2025-05-13