CVE-2025-42999

What is SAP NetWeaver?

SAP NetWeaver is the core application platform powering SAP's enterprise software suite — the foundational layer beneath SAP ERP, S/4HANA, and countless business-critical applications. It is deployed in enterprises and government agencies worldwide for ERP, supply chain, financials, HR, and procurement. Visual Composer is a NetWeaver add-on enabling business users to build data-driven web applications without coding. The Metadata Uploader component within Visual Composer allows developers to upload metadata that defines application structures. Because SAP systems manage an organization's most sensitive business data (financials, payroll, procurement, logistics), their compromise gives an attacker access to the most critical data in the enterprise.

Overview

CVE-2025-42999 is a deserialization vulnerability (CWE-502, CVSS 9.1) in SAP NetWeaver's Visual Composer Metadata Uploader that requires high-privilege access. In isolation, it is the less severe of two companion CVEs. However, when chained with CVE-2025-31324 (an unauthenticated arbitrary file upload zero-day in the same component), the combination achieves fully unauthenticated RCE with SAP administrator privileges. Earth Lamia (a China-nexus APT) began exploiting this chain in March 2025, compromising over 580 SAP systems globally. CISA added both CVEs to the KEV catalog on 15 May 2025.

Affected Versions

Visual Composer is enabled by default in SAP NetWeaver 2004s and later. Organizations that patched CVE-2025-31324 (the earlier unauthenticated upload flaw) still need to apply the CVE-2025-42999 patch to close the remaining deserialization risk.

Technical Details

The vulnerability (CWE-502) is in the Visual Composer Metadata Uploader component. The Metadata Uploader accepts serialized Java or proprietary object data for processing during application metadata import. The deserialization logic does not validate the content of the serialized payload before executing it, allowing a crafted payload to trigger arbitrary code execution with the privileges of the <SID>adm SAP administrator account.

In isolation (CVE-2025-42999 alone): exploitation requires the Visual Composer user role — a developer or privileged account. This is why the CVSS shows PR:H (high privileges required) and the score is 9.1 rather than 10.0.

In the attack chain (CVE-2025-31324 + CVE-2025-42999):

1. CVE-2025-31324 is used to upload a malicious file (e.g., a Java serialization payload or webshell) to the SAP server without authentication — that CVE requires no credentials.
2. CVE-2025-42999's deserialization logic then executes the uploaded payload when the Metadata Uploader processes it.
3. The chain achieves full unauthenticated RCE as SAP adm — complete system takeover.

This is why CISA added both CVEs simultaneously and why organizations that patched only CVE-2025-31324 remained at risk.

Discovery

Onapsis identified the chained exploitation in active incident response investigations, tracing reconnaissance activity back to January 20, 2025 and confirmed webshell deployments from March 14–31, 2025 — weeks before SAP's patch. CVE-2025-42999 was formally published by SAP on May 13, 2025.

Exploitation Context

Earth Lamia — a China-nexus APT tracked by Trend Micro with custom tooling targeting multiple industry verticals — exploited the CVE-2025-31324 + CVE-2025-42999 chain against SAP NetWeaver systems from as early as January 2025. EclecticIQ attributed a widespread scanning and exploitation campaign to China-nexus threat actors, with over 581 critical SAP systems reported compromised globally across government agencies, utilities, manufacturers, and financial institutions. Ransomware operators subsequently incorporated the exploit chain after it became public. CISA mandated a 21-day federal remediation deadline.

Remediation

1. Apply SAP Security Note 3604119 immediately — requires an SAP S-User login to download. This is the patch for CVE-2025-42999. Follow SAP's installation guide for your NetWeaver version.
2. Also apply the CVE-2025-31324 patch (SAP Note 3594142) if not already done — both patches are required to fully close the attack chain.
3. Disable Visual Composer if it is not actively used — this eliminates both CVEs' attack surface entirely. In SAP NetWeaver Configuration Manager, set vc/enabled=false.
4. Hunt for webshells: search the Visual Composer application directory (/usr/sap/<SID>/J<instance>/j2ee/cluster/apps/sap.com/vc70runtime/) for unexpected .jsp or .class files.
5. Review SAP audit logs for unexpected <SID>adm command executions, particularly OS-level commands run from the J2EE stack.
6. Contact Onapsis or your SAP partner for forensic guidance — specialized SAP forensics expertise is needed for thorough investigation given the depth of access an adm compromise provides.