Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-42977

CVE-2025-42977: SAP NetWeaver Path Traversal Vulnerability

CVE-2025-42977 is a path traversal vulnerability in SAP NetWeaver Visual Composer that allows high-privileged attackers to read or modify arbitrary files. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-42977 Overview

CVE-2025-42977 is a directory traversal vulnerability in SAP NetWeaver Visual Composer. The flaw stems from insufficient validation of input paths supplied by high-privileged users. An authenticated attacker can leverage the weakness to read or modify arbitrary files on the underlying server. The Common Weakness Enumeration classification for this issue is [CWE-22] (Improper Limitation of a Pathname to a Restricted Directory).

SAP published the advisory as part of its monthly Security Patch Day. The vulnerability impacts confidentiality at a high level and integrity at a low level, with no direct effect on availability. Successful exploitation can cross security boundaries because the affected scope is changed.

Critical Impact

An authenticated high-privileged attacker can read or modify arbitrary files on the SAP NetWeaver host, exposing sensitive business data and configuration files.

Affected Products

  • SAP NetWeaver Visual Composer
  • SAP NetWeaver Application Server (component hosting Visual Composer)
  • Refer to SAP Note #3610591 for the authoritative list of affected versions

Discovery Timeline

  • 2025-06-10 - CVE-2025-42977 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-42977

Vulnerability Analysis

The vulnerability resides in SAP NetWeaver Visual Composer, a model-driven development environment used to build analytical applications without manual coding. The component accepts file path parameters from authenticated users but fails to validate or canonicalize them before performing file system operations.

An attacker with high privileges can submit crafted path strings containing traversal sequences such as ../ to escape the intended working directory. Once outside the expected directory, the attacker can interact with arbitrary files accessible to the SAP service account. Because the CVSS scope is changed, exploitation impacts resources beyond the vulnerable component itself.

The high confidentiality impact reflects the ability to read sensitive SAP configuration files, transport files, and operating system data. Low integrity impact indicates limited but meaningful write capability on the host file system.

Root Cause

The root cause is missing input sanitization on path parameters processed by Visual Composer. The application does not reject directory traversal metacharacters or enforce a strict allowlist of permitted paths. File access routines operate on user-supplied input without verifying that the resolved path stays within the designated content directory.

Attack Vector

Exploitation requires network access to the SAP NetWeaver Visual Composer endpoint and valid credentials with high privileges. No user interaction is required. An attacker submits a request containing a path parameter such as ../../../../sapmnt/SID/global/security/data/SecStore.properties to retrieve sensitive files. The same mechanism can be used to overwrite files writable by the SAP service account, enabling persistence or configuration tampering.

No public proof-of-concept exploit code has been confirmed at the time of writing. Refer to SAP Security Patch Day for additional technical context.

Detection Methods for CVE-2025-42977

Indicators of Compromise

  • HTTP requests to Visual Composer endpoints containing path traversal sequences such as ../, ..\, %2e%2e%2f, or URL-encoded equivalents
  • Unexpected file access in SAP work directories targeting secstore, SecStore.properties, transport directories, or /etc/passwd
  • SAP Security Audit Log entries showing file operations initiated by Visual Composer outside its standard content paths
  • Modifications to files owned by the <sid>adm user originating from Visual Composer sessions

Detection Strategies

  • Inspect SAP NetWeaver HTTP access logs for requests to Visual Composer URLs containing directory traversal payloads
  • Correlate authenticated user sessions with anomalous file read or write activity at the operating system layer
  • Deploy web application firewall rules that normalize and inspect path parameters submitted to /irj/, /webdynpro/, and Visual Composer service endpoints
  • Baseline normal Visual Composer file access patterns and alert on deviations such as access to system configuration files

Monitoring Recommendations

  • Enable SAP Security Audit Log with file system event categories and forward logs to a centralized SIEM
  • Monitor privileged SAP accounts for unusual session activity and access to Visual Composer functions
  • Track operating system file access events on the SAP host, focusing on files outside the Visual Composer content repository
  • Review change records for SAP profile parameters and secstore files to detect unauthorized modification

How to Mitigate CVE-2025-42977

Immediate Actions Required

  • Apply the SAP security patch documented in SAP Note #3610591 without delay
  • Audit accounts that hold high privileges within SAP NetWeaver and remove unnecessary entitlements
  • Rotate credentials and secrets that may have been exposed through arbitrary file reads, including those in SecStore
  • Review SAP Security Audit Logs for evidence of traversal attempts prior to patch deployment

Patch Information

SAP released a fix for CVE-2025-42977 as part of the June 2025 Security Patch Day. Administrators should consult SAP Note #3610591 for the corrected component versions, kernel patches, and post-installation steps. Additional release information is available on the SAP Security Patch Day portal.

Workarounds

  • Restrict network access to Visual Composer endpoints to trusted administrative networks using firewall rules or reverse proxy controls
  • Disable Visual Composer if it is not actively used in the environment
  • Enforce least-privilege role design so that fewer accounts hold the high-privilege entitlements required to reach the vulnerable code path
  • Deploy a web application firewall to normalize and block traversal sequences in HTTP request parameters destined for SAP NetWeaver
bash
# Example WAF rule (ModSecurity) to block traversal patterns on Visual Composer endpoints
SecRule REQUEST_URI "@contains /VC/" \
  "id:1000042,phase:2,deny,status:403,\
   msg:'SAP NetWeaver Visual Composer path traversal attempt (CVE-2025-42977)',\
   chain"
  SecRule ARGS|REQUEST_URI "@rx (\.\./|\.\.\\\\|%2e%2e(%2f|%5c))" \
    "t:none,t:lowercase,t:urlDecodeUni"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne