CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2025-42999

CVSS 9.1v3.1pub. 2025-05-13upd. 2025-10-31

SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
  • Sap Netweaver

    APP
    Sap
    7.5

CISA KEV — detailsi

Vendori
SAP
Producti
NetWeaver
Added to KEVi
May 15, 2025
Remediation deadline (US Federal)i
June 5, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 5 czerwca 2025
Tags
Deserialization
CWE
References

Related vulnerabilities

CVE-2025-31324CRITICAL10.0⚠ KEVPL ✓ten sam produkt

SAP NetWeaver: nieautoryzowany upload plików wykonywalnych w Visual Composer

CVE-2021-38163CRITICAL9.9⚠ KEVten sam produkt

SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker aut...

CVE-2023-36922CRITICAL9.1ten sam produkt

Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an ...

CVE-2020-6203CRITICAL9.1ten sam produkt

SAP NetWeaver UDDI Server (Services Registry), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; allows an a...

CVE-2011-1517CRITICAL9.8ten sam produkt

SAP NetWeaver 7.0 allows Remote Code Execution and Denial of Service caused by an error in the DiagTraceHex() ...