CVE-2025-42944 – This CVE describes a critical deserialization v... (How to Fix)

Q: What is the severity of CVE-2025-42944?

CVE-2025-42944 has a CVSS score of 10.0 (CRITICAL). This CVE describes a critical deserialization vulnerability in SAP NetWeaver's RMI-P4 module that allows unauthenticated attackers to execute arbitrary operating system commands by sending malicious Java objects to an open port. This affects SAP NetWeaver systems with the vulnerable component exposed. The vulnerability poses severe risks to all three security pillars: confidentiality, integrity, and availability.

📋 TL;DR

This CVE describes a critical deserialization vulnerability in SAP NetWeaver's RMI-P4 module that allows unauthenticated attackers to execute arbitrary operating system commands by sending malicious Java objects to an open port. This affects SAP NetWeaver systems with the vulnerable component exposed. The vulnerability poses severe risks to all three security pillars: confidentiality, integrity, and availability.

💻 Affected Systems

Products:

SAP NetWeaver

Versions: Specific versions not provided in CVE description; refer to SAP security notes for exact affected versions.

Operating Systems: All operating systems running SAP NetWeaver

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with RMI-P4 module enabled and accessible via network are vulnerable. Default configurations may expose this service.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with full administrative access, data exfiltration, ransomware deployment, and permanent system destruction.

🟠

Likely Case

Unauthenticated remote code execution leading to data theft, lateral movement within the network, and installation of persistent backdoors.

🟢

If Mitigated

Limited impact if proper network segmentation, strict firewall rules, and security patches are applied, though risk remains if exposed.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation via open ports makes internet-facing systems immediate targets for automated attacks.

🏢 Internal Only: HIGH - Even internally, unauthenticated exploitation allows lateral movement and privilege escalation within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Deserialization vulnerabilities in Java applications are commonly exploited with publicly available tools and payloads. The unauthenticated nature lowers the barrier for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to SAP security notes 3634501, 3660659, and 3670067 for specific patch versions

Vendor Advisory: https://url.sap/sapsecuritypatchday

Restart Required: Yes

Instructions:

1. Review SAP security notes 3634501, 3660659, and 3670067. 2. Apply the relevant SAP security patches for your NetWeaver version. 3. Restart the affected SAP systems. 4. Verify the patch application through version checks.

🔧 Temporary Workarounds

Network Isolation

all

Restrict network access to the RMI-P4 port using firewall rules to allow only trusted sources.

# Example Linux iptables rule: iptables -A INPUT -p tcp --dport [RMI-P4_PORT] -s [TRUSTED_IP] -j ACCEPT
# Example Windows Firewall: New-NetFirewallRule -DisplayName "Block SAP RMI-P4" -Direction Inbound -Protocol TCP -LocalPort [RMI-P4_PORT] -Action Block

Service Disablement

all

Disable the RMI-P4 service if not required for business operations.

# Check SAP documentation for your specific version on how to disable RMI-P4 services

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to block all external and unnecessary internal access to the RMI-P4 port.
Deploy application-level firewalls or WAFs with deserialization attack detection rules and monitor for exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check if your SAP NetWeaver system has the RMI-P4 service enabled and accessible on the network. Review SAP security notes for version-specific vulnerability checks.

Check Version:

Use SAP transaction code SM51 or OS-level commands to check NetWeaver version. Consult SAP documentation for exact version check procedures.

Verify Fix Applied:

Verify that SAP security patches from notes 3634501, 3660659, and 3670067 are applied. Check that the RMI-P4 service no longer accepts malicious deserialization payloads through security testing.

📡 Detection & Monitoring

Log Indicators:

Unusual Java deserialization errors in SAP logs
Unexpected process executions from SAP Java processes
Network connections to RMI-P4 port from untrusted sources

Network Indicators:

Malformed Java serialized objects sent to RMI-P4 port
Exploit kit traffic patterns targeting SAP ports
Unusual outbound connections from SAP servers

SIEM Query:

Example: source="sap_logs" AND ("deserialization" OR "RMI-P4") AND severity=HIGH

📊 Metadata

CVE ID: CVE-2025-42944

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 0.06% exploit probability (19.9th percentile)

Published: September 9, 2025

Last Updated: November 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-42944, you might also want to check these: