Plattform
sap
Komponente
sap-netweaver-visual-composer
Behoben in
7.50.1
CVE-2025-42977 is a Directory Traversal vulnerability identified in SAP NetWeaver Visual Composer. This flaw allows authenticated, high-privileged users to bypass security controls and access or modify files outside of their intended scope. The vulnerability impacts versions 7.50–VCBASE 7.50 and is addressed in version 7.50.1.
The Directory Traversal vulnerability in SAP NetWeaver Visual Composer poses a significant risk to system confidentiality. An attacker, having sufficient privileges within the system, can exploit this flaw to read sensitive configuration files, source code, or even modify critical system files. This could lead to data breaches, system compromise, and potential disruption of business operations. The ability to modify files could also allow an attacker to escalate privileges or install malicious code, expanding the attack surface. While the impact on integrity is considered low, the potential for confidentiality breaches is substantial.
CVE-2025-42977 was publicly disclosed on 2025-06-10. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability has been added to the CISA KEV catalog, indicating a potential for exploitation. The relatively straightforward nature of Directory Traversal vulnerabilities suggests that a proof-of-concept may be developed and released in the future.
Organizations heavily reliant on SAP NetWeaver Visual Composer for custom application development are particularly at risk. Environments with weak access controls or where high-privileged users have broad permissions are also more vulnerable. Shared hosting environments utilizing SAP NetWeaver Visual Composer should be carefully assessed and secured.
• java / server:
find /opt/sap/ -name '*composer*' -type f -print0 | xargs -0 grep -i 'path injection'• java / server:
journalctl -u sapvcs -g "directory traversal"• generic web:
curl -I 'http://<target>/path%2e%2e/../../etc/passwd' -sdisclosure
patch
Exploit-Status
EPSS
0.34% (57% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-42977 is to upgrade SAP NetWeaver Visual Composer to version 7.50.1 or later, which includes the necessary security fixes. If immediate patching is not feasible, consider implementing temporary workarounds such as restricting user privileges and carefully reviewing file access permissions. Implementing a Web Application Firewall (WAF) with rules to block attempts to access files outside of the designated directory can also provide an additional layer of defense. Regularly monitor system logs for suspicious file access patterns.
Aplicar las actualizaciones de seguridad proporcionadas por SAP para NetWeaver Visual Composer. Consultar la nota SAP 3610591 para obtener más detalles sobre la actualización y las versiones afectadas. Asegurarse de que todos los usuarios apliquen el parche lo antes posible.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-42977 is a Directory Traversal vulnerability in SAP NetWeaver Visual Composer allowing attackers to read or modify files. It affects versions 7.50–VCBASE 7.50 and has a CVSS score of 7.6 (HIGH).
You are affected if you are running SAP NetWeaver Visual Composer versions 7.50–VCBASE 7.50. Upgrade to 7.50.1 or later to mitigate the risk.
The recommended fix is to upgrade to SAP NetWeaver Visual Composer version 7.50.1 or later. Implement stricter access controls as a temporary workaround if upgrading is not immediately possible.
As of June 10, 2025, there are no known active exploits or campaigns targeting CVE-2025-42977, but it is listed on the CISA KEV catalog.
Refer to the official SAP Security Note for CVE-2025-42977 on the SAP Support Portal. The specific note number will be published by SAP.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.