CVE-2025-42999: Insecure Deserialization in SAP NetWeaver Visual Composer

Overview

On May 13, 2025, SAP published a critical vulnerability identified as CVE-2025-42999 affecting the Visual Composer development server within SAP NetWeaver. The issue is classified under CWE-502: Deserialization of Untrusted Data, a well-known class of vulnerabilities that can allow attackers to compromise the confidentiality, integrity, and availability of a system.

Vulnerability Details

The vulnerability impacts the following product:

• Product: SAP NetWeaver Visual Composer Metadata Uploader
• Version Affected: VCFRAMEWORK 7.50

The flaw occurs when a privileged user uploads malicious or untrusted metadata content to the server. When this content is deserialized, it can lead to the execution of arbitrary code or other serious consequences depending on the payload and environment. Although the attacker must already have high privileges, exploitation does not require any user interaction and can be performed over a network.

Technical Analysis

The vulnerability has a CVSS v3.1 base score of 9.1, indicating critical severity. The vector string is:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Key metrics include:

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: High
• User Interaction: None
• Scope: Changed
• Confidentiality, Integrity, Availability Impact: High

This means a high-privileged user can exploit the vulnerability remotely without triggering any user interaction, and the resulting impact may extend beyond the original component being attacked.

Understanding CWE-502

Deserialization of Untrusted Data occurs when an application processes serialized data from an untrusted source without adequate validation. In SAP NetWeaver’s case, improperly validated metadata may be deserialized and trigger arbitrary behavior. Such flaws can be difficult to detect and are often exploited in advanced attacks that aim to execute code or escalate privileges.

Exploitation and Threat Landscape

According to the CISA KEV catalog, this vulnerability is actively being exploited in the wild. It has also been highlighted in SAP’s official security notes. The Onapsis research team confirmed exploitation evidence and emphasized its criticality for SAP environments.

Recommendations

To mitigate this vulnerability, SAP recommends:

• Applying patches or mitigations provided in the latest SAP Security Patch Day updates.
• Restricting access to systems where deserialization may occur.
• Implementing secure coding practices to avoid unsafe deserialization patterns.
• Monitoring for unusual privileged user activity and uploads.

Conclusion

CVE-2025-42999 highlights the risks associated with deserialization vulnerabilities, especially in complex enterprise environments like SAP. Due to its high severity and active exploitation, organizations should prioritize patching and review their use of metadata handling and upload functions.