SAP Warns of Critical Security Flaw in NetWeaver Redactie

By Netvora Tech News

---

SAP has issued a warning about a new critical security vulnerability in its NetWeaver Redactie platform, which could allow attackers to take control of systems. The company has released updates to address the issue, identified as CVE-2025-42999. Organizations are urged to patch the vulnerability immediately. The flaw was discovered during an investigation into another actively exploited security vulnerability, CVE-2025-31324, for which an emergency patch was released last month. NetWeaver is a platform for running SAP applications that are widely used in business environments. Both CVE-2025-31324 and CVE-2025-42999 affect a component of NetWeaver called Visual Composer Metadata Uploader. The impact of the vulnerabilities is rated on a scale of 1 to 10, with CVE-2025-31324 scoring a 10.0 and CVE-2025-42999 scoring a 9.1. CVE-2025-31324 can be exploited by an unauthenticated attacker, which explains its high impact score. The new vulnerability, CVE-2025-42999, requires the attacker to have at least privileged user access. The National Cyber Security Center (NCSC) previously noted that the Metadata Uploader, designed to build user interfaces without writing code, has not been supported since 2015. The NCSC recommends against using it to build interfaces and advises hosting it in a separate development environment.

What You Need to Know

• CVE-2025-42999 is a critical security vulnerability in NetWeaver Redactie that could allow attackers to take control of systems.
• SAP has released updates to address the issue and organizations are urged to patch the vulnerability immediately.
• The vulnerability affects a component of NetWeaver called Visual Composer Metadata Uploader.
• The impact of the vulnerability is rated a 9.1 out of 10.