CVE-2025-42944

SAP NetWeaver and Affected Versions SAP NetWeaver versions 5.3 through 10.0 SAP NetWeaver AS Java (affected versions not specified)

Description SAP NetWeaver contains a critical deserialization flaw in the RMI-P4 module. This allows an unauthenticated attacker to execute arbitrary operating system commands by submitting a malicious payload to an open port. The flaw poses a high impact to the confidentiality, integrity, and availability of the application. Approximately 515,194 systems are potentially exposed. The vulnerability is exploitable without any required privileges. The RMI-P4 module is vulnerable to this issue. The deserialization of untrusted Java objects can lead to arbitrary OS command execution.

Recommendations Apply SAP Note 3634501 to all affected versions. Restrict or close access to the RMI-P4 module to minimize the risk of exploitation. Segment networks to limit the potential impact of a successful attack.