- SAP fixed CVE-2025-42999, a 9.1/10 vulnerability in NetWeaver
- This one was chained with CVE-2025-31324, which was fixed in April
- Fortune 500 companies are apparently at risk
SAP has patched a critical-severity zero-day vulnerability in NetWeaver server that was being chained in attacks targeting some of the world’s biggest enterprises.
The vulnerability is tracked as CVE-2025-42999, and carries a severity score of 9.1/10 (critical). On NVD, it was said that SAP NetWeaver Visual Composer Metadata Uploader is “vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.”
In a statement given to BleepingComputer, SAP said it discovered this flaw when it was investigating a different one, also a zero-day. This one was reported earlier in April this year, and is now tracked as CVE-2025-31324 (10/10 – critical). The two flaws were allegedly being abused in attacks since January 2025.
SAP issues patch
When security researchers first discovered CVE-2025-31324 being abused, it was said that more than 1,200 SAP instances were at risk of being hijacked. Some researchers claimed the number of vulnerable endpoints was somewhat smaller – around 500 instances.
Visual Composer is a development tool that allows users to build web-based business applications without writing code. It’s mostly used to create dashboards, forms, and interactive reports. The Metadata Uploader, on the other hand, is a tool for importing external data models (metadata) into the Visual Composer design environment. This allows developers to connect to remote data sources (web services, databases, or SAP systems).
ReliaQuest, watchTowr, and Onapsis, are just some of the firms that observed the bug being exploited in attacks in which threat actors were dropping web shells on vulnerable servers. SAP, however, told the media that it was not aware of any attacks that impacted customer data or systems.
“Something like 20 Fortune 500/Global 500 companies are vulnerable, and many of them are compromised,” Onyphe CTO Patrice Auffret told BleepingComputer.
Via BleepingComputer
