CVE-2025-42999 - SAP NetWeaver Deserialization Vulnerability

Vulnerability Name

SAP NetWeaver Deserialization Vulnerability

Description

SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content.

Known To Be Used in Ransomware Campaigns?

Unknown

Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Additional Notes

SAP users must have an account to log in and access the patch: https://me.sap.com/notes/3604119

https://nvd.nist.gov/vuln/detail/CVE-2025-42999

Related News Articles

Exploit for critical SAP Netweaver flaws released (CVE-2025-31324, CVE-2025-42999)August 20, 2025

Public Exploit for Chained SAP Flaws Exposes Unpatched Systems to Remote Code ExecutionAugust 19, 2025