CVE-2025-42999: 
SAP Visual Composer vulnerability analysis and mitigation

SAP NetWeaver Visual Composer Metadata Uploader contains a critical deserialization vulnerability (CVE-2025-42999) discovered in May 2025. The vulnerability, with a CVSS score of 9.1, allows privileged users with VisualComposerUser role to upload untrusted or malicious content which, when deserialized, could lead to a compromise of confidentiality, integrity, and availability of the host system. This vulnerability was discovered during the investigation of a previous zero-day vulnerability (CVE-2025-31324) and affects SAP NetWeaver systems (SAP Note, Arctic Wolf).

The vulnerability is a deserialization of untrusted data flaw (CWE-502) in the Visual Composer component. When exploited in conjunction with CVE-2025-31324, it allows attackers to execute arbitrary commands remotely without any privileges on the system. The vulnerability received a Critical CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). Visual Composer is enabled by default starting with SAP NetWeaver 2004s, making this vulnerability widely applicable (Bleeping Computer, Arctic Wolf).

The vulnerability, when exploited, allows attackers to achieve full system compromise, potentially leading to unauthorized access to the underlying SAP Operating System with adm privileges. This access permits attackers to execute arbitrary commands, manipulate financial records, deploy ransomware, access personally identifiable information (PII), corrupt business data, and modify system logs. The impact is particularly severe for organizations subject to regulatory requirements like SEC Rules on Cybersecurity or NIS2 (Hacker News).

SAP has released Security Note 3604119 to address CVE-2025-42999, which fixes the root cause of the vulnerability. Organizations are strongly advised to apply this security update immediately. Additionally, customers who have implemented security note 3594142 (for CVE-2025-31324) should also implement this new security note. For systems that cannot be immediately patched, SAP recommends disabling the Visual Composer service if it's not required (Arctic Wolf, SAP Note).

The cybersecurity community has responded with heightened concern due to the active exploitation of this vulnerability in conjunction with CVE-2025-31324. Security researchers and incident response teams have been actively tracking and analyzing the attacks, with multiple security firms publishing detailed analyses and indicators of compromise. The involvement of nation-state actors has further elevated the severity of this security issue (Hacker News).