PatchSiren cyber security CVE debrief
CVE-2025-42999 SAP CVE debrief
CVE-2025-42999 is a SAP NetWeaver deserialization vulnerability that CISA added to the Known Exploited Vulnerabilities catalog on 2025-05-15. That KEV listing means the issue is confirmed to be exploited in the wild, so remediation should be treated as urgent even though the supplied corpus does not include a CVSS score or a detailed vendor impact statement. SAP’s guidance is referenced by CISA, and the source notes that SAP users must have an account to access the relevant patch notes.
- Vendor
- SAP
- Product
- NetWeaver
- CVSS
- Unknown
- CISA KEV
- Listed
- Original CVE published
- 2025-05-15
- Original CVE updated
- 2025-05-15
- Advisory published
- 2025-05-15
- Advisory updated
- 2025-05-15
Who should care
SAP NetWeaver administrators, application owners, security operations teams, vulnerability management teams, and incident responders should prioritize this issue. Organizations running SAP NetWeaver in any environment should verify exposure and remediation status immediately.
Technical summary
The available official records identify CVE-2025-42999 as a deserialization vulnerability in SAP NetWeaver. CISA’s KEV catalog adds the key operational context: the flaw is known to be exploited, and remediation is expected by the KEV due date. The supplied corpus does not provide a CVSS score or deeper technical impact details, so defensive handling should rely on the KEV status and SAP’s vendor instructions.
Defensive priority
Urgent. Because the vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, remediation should be prioritized ahead of routine patch cycles and tracked against the KEV due date of 2025-06-05.
Recommended defensive actions
- Inventory all SAP NetWeaver instances and confirm whether they are exposed to CVE-2025-42999.
- Apply SAP’s vendor instructions and any relevant patch or mitigation as soon as possible.
- Ensure the team responsible for SAP patching can access the relevant SAP note referenced by CISA (SAP Note 3604119).
- Track remediation against the CISA KEV due date of 2025-06-05.
- If the product is used in a cloud service context, follow applicable CISA BOD 22-01 guidance.
- If mitigations are unavailable, consider discontinuing use of the product until remediation is possible.
- Monitor affected systems for signs of compromise and review authentication, application, and audit logs for unusual activity.
- Validate that remediation succeeded by rescanning and confirming the vulnerability is no longer present.
Evidence notes
Evidence is limited to official public records supplied in the corpus: the CVE record, NVD entry, and CISA KEV catalog. CISA lists SAP NetWeaver under CVE-2025-42999 with dateAdded 2025-05-15 and dueDate 2025-06-05, and marks knownRansomwareCampaignUse as Unknown. The source metadata also states that SAP users must have an account to log in and access the patch and references SAP Note 3604119. No CVSS score or richer vendor impact text was provided in the supplied materials.
Official resources
-
CVE-2025-42999 CVE record
CVE.org
-
CVE-2025-42999 NVD detail
NVD
-
CISA Known Exploited Vulnerabilities catalog
CISA - Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
-
Source item URL
cisa_kev
Public debrief based on official records supplied in the corpus. Timing context uses the CVE published/modified date of 2025-05-15 and the CISA KEV dateAdded/dueDate values; no generation or review date is treated as the issue date.