4 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
SAP NetWeaver RMI-P4 Insecure Deserialization Remote Code Execution
CVSS Score: 10.0 (Critical)
Identifier: CVE-2025-42944
Exploit or Proof of Concept (PoC): No known PoC or exploitation has been reported yet.
Update: CVE-2025-42944 – SAP Security Note #3634501 – September 2025 Patch Day
Description: CVE-2025-42944 is a critical vulnerability in SAP NetWeaver (AS Java), specifically within its RMI-P4 module. The flaw involves insecure deserialization of untrusted Java objects. An unauthenticated, remote attacker could leverage this vulnerability by sending a crafted payload to an exposed RMI-P4 port, resulting in arbitrary OS command execution under the affected system privileges. This presents a complete compromise of confidentiality, integrity, and availability. The vulnerability affects SAP NetWeaver ServerCore 7.50.
No public PoC is available, and there are no confirmed in-the-wild exploits at this time. However, given the severity and impact, it is considered an urgent risk requiring swift remediation.
Mitigation Recommendation:
- Apply SAP Security Note #3634501 (September 2025 Patch Day) immediately to address CVE-2025-42944.
- If timely patching is not possible, isolate SAP NetWeaver AS Java (RMI-P4) systems from untrusted networks.
- Disable the RMI-P4 module if not needed.
- Conduct network segmentation and use intrusion detection/prevention tools to monitor for suspicious Java deserialization attempts or communications on RMI-related ports.
