Go back to All Blog posts

CVE-2025-42944 — Insecure Deserialization in SAP NetWeaver

Tal Zamir
Tal Zamir Chief Technology Officer LinkedIn
September 10, 2025

Overview

The IONIX research team is tracking CVE-2025-42944, an insecure deserialization vulnerability affecting SAP NetWeaver AS Java’s RMI-P4 module—a critical issue warranting immediate attention.

What’s at Risk?

  • Vector: An unauthenticated attacker can connect to an exposed port and submit a malicious serialized Java object.
  • Impact: Such exploitation enables arbitrary OS command execution, potentially leading to complete system compromise—confidentiality, integrity, and availability are all at severe risk.
  • Severity: SAP assigns a maximum CVSS score of 10.0—bottom-line severity.

Context & Why It Matters

  • SAP NetWeaver underpins core enterprise systems—including ERP, CRM, and SCM platforms—making it a high-value target.
  • The RMI-P4 protocol, used for internal SAP-to-SAP communication or admin tasks, is frequently misconfigured or exposed—amplifying exposure risk.
  • This isn’t an isolated fix—SAP patched 21 vulnerabilities today, including three critical NetWeaver flaws such as CVE-2025-42944.

Current State of Exploitation

  • No confirmed active exploitation in the wild yet for CVE-2025-42944.
  • However, indisputable evidence from other deserialization vulnerabilities (e.g., CVE-2025-31324, CVE-2025-42999) demonstrates attackers’ ability to chain exploits, operate stealthily, and repurpose deserialization gadgets across SAP components.
  • Such modular exploit patterns underscore the urgency of swiftly patching even before public exploits surface.

IONIX Recommendations

  1. Apply SAP Patch Immediately
    Implement the latest SAP security note addressing CVE-2025-42944 as part of September 2025 Patch Day. A detailed list of potentially affected assets is available in the IONIX Threat Center. Customers should review this list to determine if their environments are at risk and prioritize patching accordingly.
  2. Restrict Access to the P4 Port
    Deploy firewall or ICM-level filtering to block access from untrusted networks.
  3. Audit for Potential Exposure
    Verify whether the P4 port is inadvertently reachable from untrusted networks or the internet.
  4. Monitor & Hunt for Suspicious Activity
    Track unusual deserialization attempts, RMI access patterns, or unexpected OS commands tied to SAP Java processes.

Who Might Be Affected?

  • Any deployment of SAP NetWeaver AS Java with an accessible RMI-P4 interface—especially in DMZs or misconfigured internal networks.
  • Particularly concerning for high-value environments—multi-tier ERP, financial, or production systems where NetWeaver is leveraged for admin or inter-system communication.

Final Take

CVE-2025-42944 is a textbook example of how insecure deserialization can escalate quickly to full system compromise—especially when it’s unauthenticated and remotely exploitable. History shows that once patches go public, threat actors scramble to weaponize them. Now is the critical window for defenders: apply the patch, lock down access, and stay vigilant.

WATCH A SHORT IONIX DEMO

See how easy it is to implement a CTEM program with IONIX. Find and fix exploits fast.

THE LATEST FROM IONIX

Tal Zamir
September 10, 2025
CVE-2025-42944 — Insecure Deserialization in SAP NetWeaver
Learn more
Tal Zamir
September 9, 2025
Unauthenticated SSRF in Ditty WordPress Plugin (CVE-2025-8085)
Learn more
Miki Sharon
September 3, 2025
No More Blind Spots: Detecting WAF / CDN Control Bypass in IONIX Exposure Management
Learn more