CVE-2025-42999: Insecure Deserialization in SAP NetWeaver (Visual Composer development server)

9.1 CVSS

Description

SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

Known Exploited

🚨 Marked as known exploited on May 15th, 2025 (17 days ago).

Classification

CVE ID: CVE-2025-42999

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Problem Types

CWE-502: Deserialization of Untrusted Data

Affected Products

Vendor: SAP_SE

Product: SAP NetWeaver (Visual Composer development server)

Exploit Prediction Scoring System (EPSS)

EPSS Score: 14.71% (probability of being exploited)

EPSS Percentile: 94.12% (scored less or equal to compared to others)

EPSS Date: 2025-05-31 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-42999
https://me.sap.com/notes/3604119
https://url.sap/sapsecuritypatchday

Timeline

2025-05-13 03:40:17 UTC
CVE

Insecure Deserialization in SAP NetWeaver (Visual Composer development server)
2025-05-15 17:45:17 UTC
CISA KEV

SAP NetWeaver Deserialization Vulnerability
2025-05-15 17:46:17 UTC
🚨 Marked as Known Exploited