Introduction
Unrestricted remote code execution in SAP NetWeaver can lead to full compromise of business-critical systems, data exfiltration, and operational disruption. CVE-2025-42944 is a newly disclosed vulnerability that enables unauthenticated attackers to exploit SAP NetWeaver via its RMI-P4 module, with a maximum CVSS score of 10.0.
About SAP and NetWeaver: SAP SE is a global leader in enterprise application software, serving over 440,000 customers worldwide. SAP NetWeaver is the foundational platform for many SAP applications, providing integration, application server, and communication services for large-scale business environments. Its ubiquity in critical industries makes vulnerabilities in NetWeaver highly impactful.
Technical Information
CVE-2025-42944 is caused by insecure deserialization in the RMI-P4 module of SAP NetWeaver. The P4 protocol is used for remote Java object communication and typically listens on port 5NN04 (where NN is the SAP system number). Attackers can send specially crafted serialized Java objects to this port. Due to missing or insufficient validation, NetWeaver deserializes these objects without verifying their integrity or origin.
When a malicious payload is deserialized, attacker-controlled code is executed in the context of the SAP NetWeaver process. This allows arbitrary operating system commands to be run, potentially with high privileges. The attack does not require authentication, making exploitation feasible from any network segment with access to the P4 port.
The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). Exploitation typically involves building a gadget chain from available Java classes or SAP libraries to achieve code execution. No code snippets or PoC are available in public sources as of this writing.
Affected Systems and Versions
- SAP NetWeaver systems with the RMI-P4 module enabled
- Systems exposing P4 protocol on port 5NN04 (where NN is the SAP system number)
- Specific affected version numbers are not provided in public sources, but all unpatched NetWeaver deployments using the RMI-P4 module should be considered at risk
Vendor Security History
SAP has faced multiple critical vulnerabilities in NetWeaver throughout 2025, including:
- CVE-2025-42964: Deserialization flaw in NetWeaver
- CVE-2025-31324: Visual Composer remote code execution
- CVE-2025-42999: Related deserialization issue
SAP issues regular security updates via Security Patch Day and provides detailed security notes. Patch response is generally prompt, but the complexity of SAP landscapes can delay deployment in customer environments.