On 13 May 2025, SAP released a security advisory for CVE-2025-42999, a deserialization of untrusted data vulnerability in the NetWeaver Visual Composer component. This follows a previously disclosed vulnerability (CVE-2025-31324) from 24 April 2025, an unrestricted file upload vulnerability impacting the NetWeaver Visual component.
While SAP did not confirm that CVE-2025-42999 was being exploited, Onapsis identified that both vulnerabilities were being chained together since at least early March 2025. The combination allows unauthenticated remote threat actors to execute arbitrary commands without any privileges on the system. The deserialisation vulnerability is only exploitable by users with the VisualComposer user role on the SAP target system.
Visual Composer is enabled by default starting with SAP NetWeaver 2004s, as it is included with the base SAP NetWeaver installation.
Recommendations for CVE-2025-42999
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| SAP NetWeaver (Visual Composer Framework) | Versions prior to the latest hot fix | SAP Security Note #36041119 (CVE-2025-42999) and SAP Security Note #3594142 |
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
Disable Visual Composer if Not Required in Your Environment
Visual Composer is enabled by default starting with SAP NetWeaver 2004s, as it is included with the base installation. If not actively used in your environment, consider disabling it using filters within SAP NetWeaver to reduce your attack surface.
