Detections
Analytics

SAP Netweaver Visual Composer Multiple Vulnerabilities (June 2025)

critical Nessus Plugin ID 238431

Synopsis

The remote SAP Netweaver Visual Composer is affected by multiple vulnerabilities.

Description

SAP NetWeaver Visual Composer is affected by a directory traversal vulnerability caused by insufficient validation of input paths provided by a high-privileged user. This allows an attacker to read or modify arbitrary files, resulting in a high impact on confidentiality and a low impact on integrity. (CVE-2025-42977)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Apply the appropriate patch according to the vendor advisory.

See Also

http://www.nessus.org/u?c7f7479e

https://me.sap.com/notes/3610591

Plugin Details

Severity: Critical

ID: 238431

File Name: sap_netweaver_visual_composer_3610591.nasl

Version: 1.1

Type: remote

Family: Web Servers

Published: 6/13/2025

Updated: 6/13/2025

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-42977

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: x-cpe:/a:sap:netweaver_visual_composer

Required KB Items: Settings/ParanoidReport, installed_sw/SAP Netweaver Application Server (AS), installed_sw/SAP Netweaver Visual Composer

Patch Publication Date: 6/10/2025

Vulnerability Publication Date: 6/10/2025

Reference Information

CVE: CVE-2025-42977

IAVA: 2025-A-0406