SAP NW Visual Composer IDU Deserial Remote Exec via Untrusted Content
CVE-2025-42999 Published on May 13, 2025

Insecure Deserialization in SAP NetWeaver (Visual Composer development server)
SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

NVD

Known Exploited Vulnerability

This SAP NetWeaver Deserialization Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content.

The following remediation steps are recommended / required by June 5, 2025: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Vulnerability Analysis

CVE-2025-42999 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2025-42999 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.


Products Associated with CVE-2025-42999

Want to know whenever a new CVE is published for SAP NetWeaver? stack.watch will email you.

SAP NetWeaver
 

Affected Versions

SAP_SE SAP NetWeaver (Visual Composer development server) Version VCFRAMEWORK 7.50 is affected by CVE-2025-42999

Exploit Probability

EPSS
65.71%
Percentile
98.47%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.