CVE‑2025‑42999 | SAP | RCE
CVE‑2025‑42999#
| Vulnerability | CVE‑2025‑42999 |
|---|---|
| Type | Insecure Deserialization (RCE) |
| Description | CVE‑2025‑42999 is a critical insecure deserialization vulnerability in SAP NetWeaver AS Java (Visual Composer). Malicious payloads uploaded by privileged users are deserialized unsafely, allowing code execution. Often chained with CVE‑2025‑31324 for post-patch persistence and deeper compromise. |
| Affected Systems | SAP NetWeaver AS Java 7.0–7.5 with Visual Composer enabled, prior to SAP Note 3604119. |
| Attack Vector | Requires authenticated access (Visual Composer role) or use of previously planted payloads; triggered via Visual Composer service. |
| Exploit Mechanism | Attacker uploads or triggers malicious serialized content; Visual Composer deserializes it and executes attacker code. |
| Impact of the Bug | Enables persistent RCE, allowing attackers or insiders to fully compromise SAP servers, escalate privileges, or maintain access even after CVE‑2025‑31324 is patched. |
| Detection & IOCs | - Webshell/Backdoor Checks: Same webshell patterns as CVE‑2025‑31324 (unexpected JSP/class files). - User Activity Monitoring: Review Visual Composer user actions for odd uploads or triggers. - SAP Logs: Watch for unusual deserialization errors or class loads. - Post-Exploitation Signals: Outbound C2 traffic, or post-exploitation frameworks (e.g., Brute Ratel, Cobalt Strike) on SAP servers. |
| Mitigation Steps | - Apply SAP Security Note 3604119 (May 2025 cumulative patch). - Disable Visual Composer if unused. - Harden and monitor privileged SAP accounts. - Conduct incident response if compromise suspected. |
| Workaround (if available) | Disable or remove Visual Composer services until patched; restrict access to Visual Composer endpoints. |
| References | NVD · SAP Note 3604119 · Onapsis · Arctic Wolf · BleepingComputer |