- SAP Fixed CVE-2025-42999, a vulnerability 9.1 / 10 in Netweaver
- This was chained with CVE-2025-31324, which was set in April
- Fortune companies 500 are apparently at risk
SAP has corrected a vulnerability of critical severity in the Netweaver server which was chained in attacks targeting some of the largest companies in the world.
Vulnerability is followed as CVE-2025-42999 and carries a gravity score of 9.1 / 10 (critic). On NVD, it has been said that SAP Netweaver Visual Composer Metadata Uploader is “vulnerable when a privileged user can download non -reliable or malicious content which, when it is derived, could potentially lead to a compromise of confidentiality, integrity and availability of the host system.”
In a declaration given to Bleeping CompomputeSAP said he had discovered this defect when he was investigating another, also one day zero. This was reported earlier in April of this year and is now followed as CVE-2025-31324 (10/10-critic). The two faults were reportedly mistreated during the attacks since January 2025.
SAP from Patch
When the security researchers first discovered the CVE-2025-31324 abused, it was said that more than 1,200 cases of SAP were likely to be diverted. Some researchers said the number of vulnerable parameters was somewhat smaller – about 500 cases.
Visual Composer is a development tool that allows users to create commercial applications on the web without writing code. It is mainly used to create dashboards, forms and interactive reports. The metadata download, on the other hand, is an import tool for external data models (metadata) into the design environment of visual composers. This allows developers to connect to remote data sources (web services, databases or SAP systems).
Reliaquet, Watchtowr and Onapsis are only some of the companies that have observed the bug exploited in the attacks in which threat actors abandoned web shells on vulnerable servers. SAP, however, told the media that he was not aware of any attack that had had an impact on customer data or systems.
“Something like 20 Fortune 500 / Global 500 companies is vulnerable, and many of them are compromised,” Patrice Affret D’Onyphus told Patrice Bleeping Compompute.
Via Bleeping Compompute
