- FIXED SAP CVE-2025-42999, a vulnerability of 9.1/10 in Netweaver
- This was chained with CVE-2025-31324, which was solved in April
- Apparently, Fortune 500 companies are at risk
SAP has patched a zero day vulnerability of critical severity on the Netweaver server that was being chained in attacks aimed at some of the world’s largest companies.
Vulnerability is tracked as CVE-2025-42999, and has a gravity score of 9.1/10 (critic). In NVD, it was said that the Metadata charger of Visual Sap Netweaver composers is “vulnerable when a privileged user can load non -reliable or malicious content that, when deserialized, could lead to a compidesiality, integrity and availability of the host system.”
In a statement given to BleepingcomputerSAP said he discovered this defect when he was investigating a different one, also a zero day. This was reported earlier this year, and now traces as CVE-2025-31324 (10/10-critical). The two defects were supposedly abused in attacks since January 2025.
SAP problems patch
When security researchers first discovered that the CVE-2025-31324 was abused, it was said that more than 1,200 SAP instances ran the risk of being kidnapped. Some researchers said that the number of vulnerable final points was somewhat lower: about 500 instances.
Visual Composer is a development tool that allows users to create web -based commercial applications without writing code. It is mainly used to create panels, forms and interactive reports. The metadata charger, on the other hand, is a tool to import external data models (metadata) in the design environment of the visual composer. This allows developers to connect to remote data sources (web services, databases or SAP systems).
Reliakest, Watchtowr and Osapsis are just some of the companies that observed that the error was exploited in attacks in which the threat actors were dropping web projectiles on vulnerable servers. SAP, however, told the media that he was not aware of any attack that impact customer data or systems.
“Something like 20 Fortune 500/Global 500 companies are vulnerable, and many of them are committed,” said Onyphe Cto Patrice Auffret Bleepingcomputer.
Through Bleepingcomputer
