Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

Insecure Deserialization RCE in SAP NetWeaver RMI-P4

IdentifiersCVE-2025-42944CWE-502· Deserialization of Untrusted Data

CVE-2025-42944 is a critical insecure deserialization vulnerability in SAP NetWeaver AS Java, specifically affecting the RMI-P4/ServerCore component. An unauthenticated attacker can send a malicious serialized Java object to an exposed RMI-P4 service port, where untrusted data is deserialized without sufficient validation. Public reporting describes the issue as affecting NetWeaver AS Java, including references to ServerCore 7.50, and enabling arbitrary OS command execution through crafted payloads delivered over the P4 protocol. SAP later issued additional hardening guidance and protections, including a JVM-wide deserialization filter (jdk.serialFilter) to block dangerous classes/packages.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in unauthenticated remote code execution and arbitrary operating system command execution in the context of the SAP NetWeaver process. This can lead to full compromise of the affected SAP application server, including loss of confidentiality, integrity, and availability, as well as follow-on actions such as data theft, system manipulation, service disruption, and broader compromise of business-critical SAP environments.

Mitigation

If you can’t patch tonight, do this now.

Until patching is complete, restrict network access to the SAP NetWeaver RMI-P4 service to only trusted administrative/application hosts, and prevent exposure of the P4 port to untrusted networks or the internet. Apply SAP's recommended hardening, including the JVM-wide deserialization filter (jdk.serialFilter) referenced in public reporting, and monitor SAP NetWeaver systems for suspicious activity targeting RMI-P4/deserialization paths.

Remediation

Patch, then assume compromise.

Apply SAP's security updates for CVE-2025-42944 and any subsequent updated SAP Security Notes addressing this issue. The provided content references SAP Security Note 3634501 and later hardening/update guidance, including an October 2025 update and Security Note 3660659 adding further protections. Ensure the latest vendor-provided fixes and follow-up hardening measures are installed, not only the initial patch.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

ACTIVITY FEED

Recent activity

49 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

49 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

A critical deserialization vulnerability in SAP NetWeaver that can enable unauthenticated attacks (per the content snippet).

Read more
securityaffairsNews
Nov 11, 2025
SAP fixed a maximum severity flaw in SQL Anywhere Monitor

A critical insecure deserialization vulnerability in SAP NetWeaver AS Java, addressed by security hardening.

Read more
bleeping computerNews
Nov 11, 2025
SAP fixes hardcoded credentials flaw in SQL Anywhere Monitor

A critical vulnerability in SAP NetWeaver, addressed with updates in November 2025. Specific technical details are not provided in the content.

Read more
the hacker newsNews
Oct 15, 2025
New SAP NetWeaver Bug Lets Attackers Take Over Servers Without Login

A maximum-severity insecure deserialization vulnerability in SAP NetWeaver AS Java that allows unauthenticated attackers to execute arbitrary OS commands via the RMI-P4 module.

Read more
+7 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity37

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-42944
NVD
nvd.nist.gov/vuln/detail/CVE-2025-42944
MITRE CWE · CWE-502
Deserialization of Untrusted Data
me.sap.com
me.sap.com/notes/3634501
me.sap.com
me.sap.com/notes/3660659
me.sap.com
me.sap.com/notes/3670067
url.sap
url.sap/sapsecuritypatchday