CVE-2025-42999

CRITICAL KEV RANSOMWARE

SAP NetWeaver Visual Composer Metadata Uploader - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-42999 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 15, 2025, with confirmed use in ransomware campaigns. EIP tracks 1 public exploit from researchers including Onapsis.

AI-analyzed exploit summary This repository contains a tool developed by Onapsis and Mandiant to detect and assess potential compromise related to CVE-2025-31324 and CVE-2025-42999 in SAP NetWeaver Java systems. It includes functionality for vulnerability detection, IOC identification, and log analysis, but does not contain exploit code.

Description

SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

Exploits (1)

github SCANNER 8 stars
by Onapsis · pythonpoc
https://github.com/Onapsis/Onapsis-Mandiant-CVE-2025-31324-Vuln-Compromise-Assessment

This repository contains a tool developed by Onapsis and Mandiant to detect and assess potential compromise related to CVE-2025-31324 and CVE-2025-42999 in SAP NetWeaver Java systems. It includes functionality for vulnerability detection, IOC identification, and log analysis, but does not contain exploit code.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: SAP NetWeaver Java systems
Auth required
Prerequisites: Access to the SAP application file system · Permissions to execute scripts and read logs
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 9.1
EPSS 0.1085
EPSS Percentile 95.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2025-05-15
VulnCheck KEV 2025-04-27
ENISA EUVD EUVD-2025-14349
Ransomware Use Confirmed
CWE
CWE-502
Status published
Products (1)
sap/netweaver 7.5
Published May 13, 2025
KEV Added May 15, 2025
Tracked Since Feb 18, 2026