SAP NetWeaver Visual Composer is affected by multiple vulnerabilities, including the following:

  - SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user     can upload untrusted or malicious content which, when deserialized, could potentially     lead to a compromise of confidentiality, integrity, and availability of the host system.
    (CVE-2025-42999)

  - SAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL)) allows an     authenticated attacker with SAP standard authorization to execute a certain function module     remotely and replace arbitrary ABAP programs, including SAP standard programs. This is due     to lack of input validation and no authorization checks. This has low Confidentiality impact     but high impact on integrity and availability to the application.
    (CVE-2025-43010)

  - Under certain conditions, SAP Landscape Transformation's PCL Basis module does not perform     the necessary authorization checks, allowing authenticated users to access restricted     functionalities or data. This can lead to a high impact on confidentiality with no impact     on the integrity or availability of the application.
    (CVE-2025-43011)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Detections

Analytics

SAP Netweaver Visual Composer Multiple Vulnerabilities (May 2025)

critical Nessus Plugin ID 236840

Version 1.2

Version 1.1

Version 1.2 May 18, 2025, 12:10 AM CISA reference CVSS metrics ("CVSSv2 score" set to 10.0) CVSS metrics ("CVSSv2 vector" set to "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C") CVSS metrics ("CVSSv3 score" set to 9.8) CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H") CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:F/RL:OF/RC:C") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:F/RL:O/RC:C") CVSSv2 score source (changed from "CVE-2025-42999" to "CVE-2025-31324") Exploit attributes ("Exploit available" set to "True") Exploit attributes ("Exploitability ease" set to "Exploits are available") Plugin Feed: 202505180010
Version 1.1 May 16, 2025, 6:20 PM New Plugin Feed: 202505161820