Platform
sap
Component
sap-netweaver-visual-composer
Fixed in
7.50.1
CVE-2025-42977 is a Directory Traversal vulnerability identified in SAP NetWeaver Visual Composer. This flaw allows authenticated, high-privileged users to bypass security controls and access or modify files outside of their intended scope. The vulnerability impacts versions 7.50–VCBASE 7.50 and is addressed in version 7.50.1.
Successful exploitation of CVE-2025-42977 could grant an attacker unauthorized access to sensitive data stored on the system. By manipulating input paths, an attacker can potentially read configuration files, source code, or other critical system files. This could lead to the exposure of credentials, proprietary information, or even allow for the modification of system behavior. The low integrity impact stems from the potential to alter files, though the primary risk is data confidentiality. A similar vulnerability in another SAP product previously led to data breaches, highlighting the potential severity.
CVE-2025-42977 was publicly disclosed on 2025-06-10. As of this date, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability has been added to the CISA KEV catalog, indicating a medium probability of exploitation. No proof-of-concept code is currently available.
Exploit Status
EPSS
0.34% (57% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-42977 is to upgrade SAP NetWeaver Visual Composer to version 7.50.1 or later. If immediate upgrading is not feasible, consider implementing strict access controls and input validation on the Visual Composer application to limit the potential attack surface. While a direct WAF rule is difficult to implement for directory traversal, restricting access to sensitive file paths based on user roles can provide a layer of defense. Monitor system logs for unusual file access patterns or attempts to access files outside of expected directories.
Aplicar las actualizaciones de seguridad proporcionadas por SAP para NetWeaver Visual Composer. Consultar la nota SAP 3610591 para obtener más detalles sobre la actualización y las versiones afectadas. Asegurarse de que todos los usuarios apliquen el parche lo antes posible.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-42977 is a Directory Traversal vulnerability in SAP NetWeaver Visual Composer allowing attackers to read or modify files. It affects versions 7.50–VCBASE 7.50 and has a CVSS score of 7.6 (HIGH).
You are affected if you are running SAP NetWeaver Visual Composer versions 7.50–VCBASE 7.50. Upgrade to 7.50.1 or later to mitigate the risk.
The recommended fix is to upgrade to SAP NetWeaver Visual Composer version 7.50.1 or later. Implement stricter access controls as a temporary workaround if upgrading is not immediately possible.
As of June 10, 2025, there are no known active exploits or campaigns targeting CVE-2025-42977, but it is listed on the CISA KEV catalog.
Refer to the official SAP Security Note for CVE-2025-42977 on the SAP Support Portal. The specific note number will be published by SAP.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.