A critical vulnerability in SAP NetWeaver Application Server (AS) Java has triggered an urgent response from both SAP and the broader cybersecurity community. Identified as CVE-2025-42944 and carrying a CVSS score of 10.0—the highest possible severity—this flaw allows unauthenticated attackers to remotely execute arbitrary operating system (OS) commands. The flaw targets the Remote Method Invocation Protocol 4 (RMI-P4) module of SAP NetWeaver, a core enterprise platform used by thousands of organizations worldwide.
SAP has issued Security Note #3634501, urging enterprises to apply the patch immediately and reinforcing the threat’s gravity with additional mitigations in its October 2025 security update.
Deserialization Vulnerability in SAP NetWeaver Puts Entire Systems at Risk
CVE-2025-42944 stems from insecure Java object deserialization in the RMI-P4 module of SAP NetWeaver ServerCore 7.50. The vulnerability can be exploited by unauthenticated attackers submitting a malicious payload to the exposed RMI-P4 port, thereby achieving arbitrary OS command execution.
According to RedLegg and Aqua Security, this flaw enables full compromise of the application’s confidentiality, integrity, and availability. There is no authentication required to exploit the vulnerability, and the RMI-P4 module—used for internal Java method invocation—is accessible over the network by default in many configurations.
Why This SAP NetWeaver Vulnerability is Rated CVSS 10.0
Multiple security experts—including those from the National Vulnerability Database (NVD), SAPExpert.ai, and Positive Technologies—point to the unrestricted command execution capability, lack of authentication requirement, and broad attack surface as reasons for the maximum criticality score.
The exploit path involves:
- Submission of a crafted Java object to an open port associated with SAP NetWeaver RMI-P4.
- The deserialization of untrusted input.
- Execution of attacker-defined operations on the operating system with the privileges of the SAP service account.
As SecurityOnline.info explains, the nature of Java serialization—especially when exposed to external inputs without tight validation—makes this a particularly lethal vector in enterprise environments running business-critical applications.
SAP’s Response Includes Patch and Defense-in-Depth Enhancements
SAP first addressed CVE-2025-42944 in its September 2025 Patch Day, during which it released 21 new security notes. The update was followed by a more comprehensive patch in October, which included the implementation of a Java Virtual Machine (JVM)-wide deserialization filter. This addition helps block known dangerous classes from being deserialized, even in case of misconfiguration elsewhere.
Security Recommendations and Immediate Mitigations for the SAP NetWeaver Vulnerability
Security teams are advised to act quickly to reduce risk from this exploit. Measures recommended by SAP, RedLegg, and Positive Technologies include:
- Applying SAP Security Note #3634501 without delay.
- Isolating SAP NetWeaver AS Java systems on segmented networks, ideally without internet access.
- Disabling the RMI-P4 module entirely if it is not essential to operations.
- Using application layer firewalls and intrusion detection/prevention systems (IDS/IPS) to monitor relevant traffic.
- Implementing strict input validation for serialized data moving through custom modules.
Additionally, developers should review Java code to identify deserialization-prone input and mark fields as `transient` where applicable to hinder external injection attempts.
Broader Takeaways for SAP Basis and Cybersecurity Teams
For SAP Basis administrators and enterprise security architects, the response involves more than just deploying a patch. According to SAPExpert.ai, organizations must evaluate their operational exposure, plan and coordinate downtime windows, and verify system functionality post-update.
Recommended operational steps include:
- Download and apply SAP Security Note #3634501 across all affected environments.
- Conduct a detailed exposure and impact assessment to prioritize patching based on risk.
- Align patching with change management processes to minimize downtime or disruptions.
- Re-test system integrations and application behavior post-patch.
- Update internal security documentation and incident response playbooks to include detection indicators and workaround strategies.
The broader lesson for enterprise IT environments is the persistent risk of insecure deserialization within complex software platforms. CVE-2025-42944 highlights how a single exposed entry point—in this case, a service bound to an open network port—can jeopardize entire production workloads that rely on SAP.
Additional Vulnerabilities Patched in SAP’s Security Updates
While CVE-2025-42944 has attracted the most attention, SAP’s September and October Patch Days addressed several other notable vulnerabilities, including:
- CVE-2025-42937 : A directory traversal vulnerability in SAP Print Service.
- CVE-2025-42910 : An unrestricted file upload issue in SAP Supplier Relationship Management.
These issues further underscore the importance of a consistent and proactive patch management strategy in SAP environments.
Conclusion: Addressing the Risks of Legacy Protocols and Serialization
The CVE-2025-42944 vulnerability is another stark reminder of the inherent dangers posed by insecure Java deserialization, especially when exposed over older, under-secured network protocols like RMI-P4. Enterprises using SAP NetWeaver should consider this a critical wake-up call not only to patch quickly, but also to assess the architectural exposures related to serialization, module exposure, and poor network segmentation.
With active exploitation still unreported, there remains a short window for defenders to act preemptively—before this high-risk flaw enters widespread exploitation in the wild.
