SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Fri, 16 May 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap netweaver
CPEs cpe:2.3:a:sap:netweaver:7.5:*:*:*:*:*:*:*
Vendors & Products Sap
Sap netweaver

Thu, 15 May 2025 23:15:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2025-05-15'}


Thu, 15 May 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 13 May 2025 17:45:00 +0000


Tue, 13 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 13 May 2025 02:30:00 +0000

Type Values Removed Values Added
Description SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.Note: Customers who have implemented the security note 3594142 should also implement this security note 3604119. SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

Tue, 13 May 2025 00:45:00 +0000

Type Values Removed Values Added
Description SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.Note: Customers who have implemented the security note 3594142 should also implement this security note 3604119.
Title Insecure Deserialization in SAP NetWeaver (Visual Composer development server)
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2025-07-30T01:36:13.322Z

Reserved: 2025-04-16T13:25:50.942Z

Link: CVE-2025-42999

cve-icon Vulnrichment

Updated: 2025-05-13T16:29:26.892Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-13T01:15:48.440

Modified: 2025-05-16T19:44:49.400

Link: CVE-2025-42999

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.