CVE-2025-42944 Overview
A critical insecure deserialization vulnerability exists in SAP NetWeaver that allows unauthenticated attackers to exploit the system through the RMI-P4 module. By submitting a malicious payload to an open port, attackers can achieve arbitrary OS command execution. The deserialization of untrusted Java objects poses severe risk to the application's confidentiality, integrity, and availability.
Critical Impact
Unauthenticated remote attackers can execute arbitrary operating system commands on vulnerable SAP NetWeaver systems via malicious Java object deserialization, potentially leading to complete system compromise.
Affected Products
- SAP NetWeaver (RMI-P4 Module)
Discovery Timeline
- 2025-09-09 - CVE CVE-2025-42944 published to NVD
- 2025-11-12 - Last updated in NVD database
Technical Details for CVE-2025-42944
Vulnerability Analysis
This vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). The SAP NetWeaver platform contains an insecure deserialization flaw within the RMI-P4 (Remote Method Invocation - Protocol 4) module. When the system receives serialized Java objects through exposed network ports, it deserializes the data without proper validation. This allows attackers to craft malicious serialized objects that, when deserialized, execute arbitrary commands on the underlying operating system.
The vulnerability is particularly dangerous because it requires no authentication, allowing any network-accessible attacker to exploit the flaw. The changed scope indicator means that a successful exploit can affect resources beyond the vulnerable component, potentially compromising the entire host system and other services running on it.
Root Cause
The root cause is improper handling of serialized Java objects in the RMI-P4 module. The application fails to validate or sanitize incoming serialized data before deserializing it, allowing attackers to inject malicious object graphs. Java deserialization vulnerabilities commonly exploit "gadget chains" – sequences of existing classes in the application's classpath that can be chained together to achieve arbitrary code execution when deserialized.
Attack Vector
The attack is network-based and targets the RMI-P4 module's open port. An unauthenticated attacker can remotely connect to the vulnerable service and submit a specially crafted serialized Java object. The malicious payload exploits the deserialization process to execute arbitrary OS commands on the target system.
The exploitation typically involves:
- Identifying an exposed RMI-P4 service port on the SAP NetWeaver system
- Crafting a malicious serialized Java object using known gadget chains (such as those found in ysoserial)
- Sending the malicious payload to the vulnerable service
- The server deserializes the object, triggering the gadget chain and executing the attacker's commands
Due to the sensitive nature of this vulnerability, specific exploitation code is not provided. For technical details, refer to SAP Note #3634501 and the SAP Security Patch Day advisory.
Detection Methods for CVE-2025-42944
Indicators of Compromise
- Unusual outbound network connections from SAP NetWeaver application servers
- Suspicious processes spawned by the Java runtime or SAP application processes
- Unexpected files or scripts created in system directories or temp folders
- Anomalous RMI traffic patterns or connections to P4 ports from external sources
Detection Strategies
- Monitor RMI-P4 service ports for connections from unauthorized or external IP addresses
- Implement network intrusion detection rules for known Java deserialization attack patterns
- Deploy endpoint detection solutions capable of identifying malicious Java object deserialization attempts
- Analyze SAP NetWeaver logs for unusual error messages related to object deserialization failures
Monitoring Recommendations
- Enable detailed logging for RMI-P4 module activities and review logs regularly
- Implement network segmentation to limit exposure of RMI services to trusted networks only
- Deploy SentinelOne's Singularity platform for real-time detection of post-exploitation behaviors
- Monitor for suspicious command execution patterns originating from Java processes
How to Mitigate CVE-2025-42944
Immediate Actions Required
- Apply the security patches referenced in SAP Security Notes immediately
- Restrict network access to RMI-P4 ports using firewalls to allow only trusted sources
- Review and audit all network-exposed SAP services for unnecessary exposure
- Implement network segmentation to isolate critical SAP systems from untrusted networks
Patch Information
SAP has released security patches to address this vulnerability. Organizations should apply the relevant updates as documented in the following SAP Security Notes:
For comprehensive patch information and update guidance, visit the SAP Security Patch Day portal.
Workarounds
- Block external access to RMI-P4 ports at the network perimeter until patches can be applied
- If the RMI-P4 module is not required, consider disabling it temporarily
- Implement Java deserialization filters to restrict which classes can be deserialized
- Deploy a web application firewall (WAF) or network security solution capable of inspecting and blocking malicious serialized Java objects
# Example: Restrict RMI-P4 port access using iptables
# Replace P4_PORT with the actual RMI-P4 port number
# Replace TRUSTED_IP with authorized IP addresses
iptables -A INPUT -p tcp --dport P4_PORT -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport P4_PORT -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
