CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-42944

CVSS 10.0v3.1pub. 2025-09-09upd. 2026-04-15

Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application's confidentiality, integrity, and availability.

🤖 AI Analysis
How it works

An attacker sends a malicious payload containing untrusted Java objects to an open port handled by the RMI-P4 module in SAP NetWeaver. The server deserializes the submitted data without prior user authentication, allowing embedded code execution. As a result of deserialization of untrusted Java objects, it is possible to achieve full arbitrary OS command execution. The attack does not require any permissions or user interaction, and its scope extends beyond the application itself (S:C in the CVSS vector).

Impact

An attacker can gain full control over the server operating system — read, modify and destroy data, and disrupt service availability, which means a complete breach of confidentiality, integrity and availability of the SAP NetWeaver system.

Mitigation & patch

Patches available from the vendor must be applied immediately in accordance with SAP Security Notes 3634501, 3660659 and 3670067 (available at me.sap.com). Additionally, it is recommended to restrict network access to RMI-P4 ports exclusively to trusted hosts via firewall and to monitor network traffic on these ports until patches are deployed.

Who is affected

SAP NetWeaver with active RMI-P4 module with accessible network port; specific product versions indicated in vendor references (SAP Security Notes: 3634501, 3660659, 3670067)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Auth BypassDeserialization
CWE
References