Skip to main content
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Insecure Deserialization in SAP NetWeaver Visual Composer Metadata Uploader

IdentifiersCVE-2025-42999CWE-502· Deserialization of Untrusted Data

CVE-2025-42999 is a critical insecure deserialization vulnerability in SAP NetWeaver Visual Composer Metadata Uploader, affecting the Visual Composer development server component. The issue allows a privileged user to upload untrusted or malicious serialized content that is subsequently deserialized by the application. Processing crafted serialized objects can lead to arbitrary command or code execution on the underlying host. Reporting in the provided content consistently places the flaw in the Visual Composer Metadata Uploader / development server context and notes that it has been observed both as a standalone issue and chained with CVE-2025-31324 during real-world attacks.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can compromise confidentiality, integrity, and availability of the affected host system. The provided sources state that attackers can achieve arbitrary command execution, arbitrary code execution, privilege escalation, unauthorized system control, webshell deployment, and in some cases full takeover of vulnerable SAP NetWeaver instances. In exploit chains with CVE-2025-31324, the flaw has been used to bypass authentication and execute payloads with SAP administrator-level privileges, enabling compromise of SAP business data and processes and supporting follow-on actions such as persistence, lateral movement, and ransomware deployment.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable the deprecated Visual Composer component or service where feasible, restrict access to the Visual Composer development server and metadata uploader endpoints, and limit exposure of the developmentserver application URL. Monitor for suspicious uploads, deserialization-related activity, unexpected JSP/webshell artifacts, and anomalous command execution. Forward SAP NetWeaver logs to a centralized SIEM and enforce strong administrative access controls to reduce the chance that a privileged account can be abused to trigger exploitation.

Remediation

Patch, then assume compromise.

Apply SAP's patch for CVE-2025-42999 immediately on affected SAP NetWeaver / Visual Composer systems. The content indicates SAP patched the vulnerability in May 2025 and multiple sources urge immediate remediation because of active exploitation and public exploit-chain availability. Where applicable, patch both CVE-2025-42999 and the related Visual Composer flaw CVE-2025-31324, as they have been used together in the wild. Review affected systems for indicators of compromise, including unauthorized JSP, Java, or class files and signs of webshell deployment, and perform incident response if compromise is suspected.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
SAPNetweaverapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

47 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

47 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

A SAP NetWeaver vulnerability used in a public exploit chain to bypass authentication and achieve RCE (when chained with CVE-2025-31324).

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

SAP NetWeaver critical flaw used in a chained exploit with CVE-2025-31324 to bypass authentication and achieve remote code execution.

Read more
cyberthroneNews
Dec 24, 2025
From Disclosure to Detonation: CISA KEV Catalog Trends 2025

A critical remote code execution vulnerability in SAP NetWeaver, with a high EPSS score (0.97), indicating high likelihood of exploitation.

Read more
cyberthroneNews
Aug 22, 2025
CISA KEV Catalog H1 2025 Analysis

A critical deserialization vulnerability in SAP NetWeaver that enables attackers to gain full system control, posing a severe risk to enterprise environments.

Read more
+11 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware12

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity31

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-42999
NVD
nvd.nist.gov/vuln/detail/CVE-2025-42999
MITRE CWE · CWE-502
Deserialization of Untrusted Data
Vendor Advisory
url.sap/sapsecuritypatchday
Third Party Advisory
onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324
Permissions Required
me.sap.com/notes/3604119
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-42999