cbcvebase.
CVE-2025-42999
published 2025-05-13

CVE-2025-42999: SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could…

PriorityP187critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2025-06-05
Exploited in the wild
EPSS
11.22%
95.4th percentile
SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

Affected

2 ranges
VendorProductVersion rangeFixed in
sapnetweaver
sap_sesap_netweaver

Detection & IOCsextracted from sources · hover to see the quote

filenamehelper.jsp
filenamecache.jsp
  • Monitor SAP NetWeaver servers for JSP web shell uploads (specifically helper.jsp and cache.jsp) in public directories as indicators of active exploitation of this vulnerability chain.
  • RansomEXX/Storm-2460 deployed the PipeMagic modular backdoor and exploited CVE-2025-29824 (Windows CLFS) as a follow-on after initial SAP NetWeaver compromise — monitor for PipeMagic and MSBuild inline task execution post-exploitation.
  • Post-exploitation activity included deployment of Brute Ratel C2 framework via inline MSBuild task execution — monitor for msbuild.exe spawning unusual child processes on SAP NetWeaver hosts.
  • Check Point IPS signatures are available for detection: 'SAP NetWeaver Remote Code Execution (CVE-2025-31324)', 'Ransomware.Win.Ransomexx.glat', 'Ransomware.Wins.BianLian.ta.*', 'Ransomware.Wins.BianLian', 'Backdoor.Wins.BianLian', 'HackTool.Wins.BianLian'.
  • CVE-2025-42999 is only exploitable by users with the 'VisualComposerUser' role on the SAP target system — audit and restrict assignment of this role as a compensating control.
  • Forescout identified at least 581 backdoored SAP NetWeaver instances and ~1,800 additional domains targeted; cross-reference exposed SAP NetWeaver instances against Shadowserver's tracking of 204+ vulnerable internet-exposed servers.
  • ·CVE-2025-42999 was NOT addressed by the original out-of-band patch for CVE-2025-31324 (SAP note 3594142); a separate patch (SAP note 3604119, released May 13, 2025) is required to remediate the deserialization vulnerability.
  • ·SAP security note 3604119 (patch for CVE-2025-42999) requires an authenticated SAP account to access; organizations must log in to me.sap.com to retrieve and apply the patch.
  • ·Even fully patched SAP NetWeaver instances were found to be compromised, indicating zero-day exploitation prior to patch availability; patching alone may be insufficient without forensic investigation of existing systems.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vulncheck9.1CRITICAL
cisa9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.