CVE-2025-42944: 
SAP NetWeaver Application Server Java Analisi e mitigazione delle vulnerabilità

CVE-2025-42944 is a critical deserialization vulnerability in SAP NetWeaver's RMI-P4 module that allows unauthenticated remote attackers to execute arbitrary operating system commands by submitting malicious Java object payloads to an exposed port. The vulnerability affects SAP NetWeaver SERVERCORE version 7.50 and was publicly disclosed on September 9, 2025, coinciding with SAP's September 2025 Patch Day. It carries a CVSS v3.1 base score of 10.0 (Critical), the maximum possible severity (Red Hat CVE, ENISA EUVD, SAP Security Notes).

The root cause is improper deserialization of untrusted data (CWE-502) within SAP NetWeaver's RMI-P4 (Remote Method Invocation over P4 protocol) module. An unauthenticated attacker can send a crafted malicious Java object payload directly to the open RMI-P4 port; when the server deserializes this payload, it triggers arbitrary OS command execution in the context of the SAP service account. The attack requires no authentication, no user interaction, and has low complexity, as the RMI-P4 port is network-accessible and the deserialization occurs without input validation. The vulnerability is mapped to CAPEC-586 (Object Injection) and a public proof-of-concept exploit has been published (GitHub PoC, RedRays Blog, ZeroPath Blog).

Successful exploitation grants an unauthenticated attacker full OS command execution on the affected SAP NetWeaver server, resulting in complete compromise of confidentiality, integrity, and availability. Attackers can exfiltrate sensitive business data, modify or destroy system components, install backdoors or ransomware, and use the compromised SAP server as a pivot point for lateral movement within the enterprise network. Given SAP NetWeaver's role as a core ERP platform in large enterprises and government organizations, exploitation could expose critical financial, HR, and operational data (Feedly Intel, Arctic Wolf, Security Affairs).

SAP addressed this vulnerability as part of the September 2025 Patch Day; organizations should apply SAP Security Note 3634501 immediately, which provides the official patch for SAP NetWeaver SERVERCORE 7.50 (SAP Security Notes Sep 2025, SAP Note 3634501). As an interim workaround, restrict network access to RMI-P4 ports using firewall rules and network segmentation, ensuring these ports are not exposed to untrusted networks or the internet. Organizations should also monitor for suspicious deserialization activity and review SAP service account privileges to limit the blast radius of any potential exploitation (Onapsis Sep 2025, Arctic Wolf).

The vulnerability received significant attention from the security community upon disclosure, with multiple outlets including BleepingComputer, The Hacker News, Security Affairs, and Ars Technica covering it as a maximum-severity SAP flaw (BleepingComputer, The Hacker News). SAP security specialists Onapsis and SecurityBridge published detailed patch day analyses highlighting CVE-2025-42944 as the most critical issue of the September 2025 cycle (Onapsis Sep 2025, SecurityBridge). National CERTs including Ireland's NCSC, Belgium's CCB, Singapore's CSA, and Pakistan's NCERT issued advisories urging immediate patching, reflecting the broad enterprise impact of the vulnerability. Social media discussions on Mastodon, Bluesky, and Reddit highlighted the urgency given the CVSS 10.0 score and public PoC availability.