SAP Netweaver Visual Composer Insecure Deserialization (3604119)

🗓️ 22 Jul 2025 00:00:00Reported by TenableType

SAP NetWeaver Visual Composer has an insecure deserialization vulnerability due to inadequate validation.

Reporter	Title	Published	Views	Family All 24
GithubExploit	Exploit for Unrestricted Upload of File with Dangerous Type in Sap Netweaver	12 Jan 202617:30	–	githubexploit
GithubExploit	Exploit for Unrestricted Upload of File with Dangerous Type in Sap Netweaver	1 May 202518:44	–	githubexploit
ATTACKERKB	CVE-2025-42999	13 May 202500:00	–	attackerkb
Information Security Automation	About Remote Code Execution – SAP NetWeaver (CVE-2025-31324, CVE-2025-42999) vulnerability	17 Sep 202511:16	–	avleonov
BDU FSTEC	The vulnerability of the MetadataUploader function in the Visual Composer tool of the SAP NetWeaver software integration platform allows a hacker to execute arbitrary code.	19 May 202500:00	–	bdu_fstec
Circl	CVE-2025-42999	13 May 202501:32	–	circl
CISA KEV Catalog	SAP NetWeaver Deserialization Vulnerability	15 May 202500:00	–	cisa_kev
CISA	CISA Adds Three Known Exploited Vulnerabilities to Catalog	15 May 202512:00	–	cisa
CNNVD	SAP NetWeaver Visual Composer Metadata Uploader 安全漏洞	13 May 202500:00	–	cnnvd
CNVD	SAP NetWeaver Visual Composer Metadata Uploader Deserialization Vulnerability	19 May 202500:00	–	cnvd

Source	Link
me	www.me.sap.com/notes/3604119
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(242564);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/07/23");

  script_cve_id("CVE-2025-42999");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2025/06/05");

  script_name(english:"SAP Netweaver Visual Composer Insecure Deserialization (3604119)");

  script_set_attribute(attribute:"synopsis", value:
"The remote SAP Netweaver Visual Composer is affected by an insecure deserialization vulnerability.");
  script_set_attribute(attribute:"description", value:
"SAP NetWeaver Visual Composer is affected by an insecure deserialization vulnerability caused by insufficient validation
of uploaded content, when deserialized, provided by a high-privileged user. This allows an attacker to potentially
compromise the confidentiality, integrity, and availability of the host system.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://me.sap.com/notes/3604119");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the vendor advisory.");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-42999");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/05/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/05/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/07/22");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/a:sap:netweaver_visual_composer");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("sap_nw_local_detection.nbin");
  script_require_keys("installed_sw/SAP NetWeaver");

  exit(0);
}

include('vcf_extras_sap.inc');

var app_info = vcf::get_app_info(app:'SAP NetWeaver');

var jar = 'devserver_metadataupload_war.jar';

var constraints = [
  {'min_version' : '7.50', 'fixed_version' : '7.50.20', 'fixed_display':'See Advisory'},
  {'min_version' : '7.50.20', 'fixed_version' : '7.50.20.249183', 'fixed_display':'See Advisory'},
  {'min_version' : '7.50.21', 'fixed_version' : '7.50.21.249182', 'fixed_display':'See Advisory'},
  {'min_version' : '7.50.22', 'fixed_version' : '7.50.22.249181', 'fixed_display':'See Advisory'},
  {'min_version' : '7.50.23', 'fixed_version' : '7.50.23.249180', 'fixed_display':'See Advisory'},
  {'min_version' : '7.50.24', 'fixed_version' : '7.50.24.249179', 'fixed_display':'See Advisory'},
  {'min_version' : '7.50.25', 'fixed_version' : '7.50.25.249178', 'fixed_display':'See Advisory'},
  {'min_version' : '7.50.26', 'fixed_version' : '7.50.26.249177', 'fixed_display':'See Advisory'},
  {'min_version' : '7.50.27', 'fixed_version' : '7.50.27.249176', 'fixed_display':'See Advisory'},
  {'min_version' : '7.50.28', 'fixed_version' : '7.50.28.249175', 'fixed_display':'See Advisory'},
  {'min_version' : '7.50.29', 'fixed_version' : '7.50.29.249174', 'fixed_display':'See Advisory'},
  {'min_version' : '7.50.30', 'fixed_version' : '7.50.30.249173', 'fixed_display':'See Advisory'},
  {'min_version' : '7.50.31', 'fixed_version' : '7.50.31.249172', 'fixed_display':'See Advisory'},
  {'min_version' : '7.50.32', 'fixed_version' : '7.50.32.249171', 'fixed_display':'See Advisory'},
  {'min_version' : '7.50.33', 'fixed_version' : '7.50.33.249185', 'fixed_display':'See Advisory'}
];

vcf::sap_netweaver_as::component_check_version_and_report(
  app_info:app_info,
  jar:jar,
  constraints:constraints,
  severity:SECURITY_HOLE
);

23 Jul 2025 00:00Current

8.6High risk

Vulners AI Score8.6

CVSS 3.19.1

EPSS0.11222

SSVC