Critical

Insecure Deserialization RCE in SAP NetWeaver RMI-P4

IdentifiersCVE-2025-42944CWE-502· Deserialization of Untrusted Data

CVE-2025-42944 is a critical insecure deserialization vulnerability in SAP NetWeaver AS Java, specifically affecting the RMI-P4/ServerCore component. An unauthenticated attacker can send a malicious serialized Java object to an exposed RMI-P4 service port, where untrusted data is deserialized without sufficient validation. Public reporting describes the issue as affecting NetWeaver AS Java, including references to ServerCore 7.50, and enabling arbitrary OS command execution through crafted payloads delivered over the P4 protocol. SAP later issued additional hardening guidance and protections, including a JVM-wide deserialization filter (jdk.serialFilter) to block dangerous classes/packages.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in unauthenticated remote code execution and arbitrary operating system command execution in the context of the SAP NetWeaver process. This can lead to full compromise of the affected SAP application server, including loss of confidentiality, integrity, and availability, as well as follow-on actions such as data theft, system manipulation, service disruption, and broader compromise of business-critical SAP environments.

Mitigation

If you can’t patch tonight, do this now.

Until patching is complete, restrict network access to the SAP NetWeaver RMI-P4 service to only trusted administrative/application hosts, and prevent exposure of the P4 port to untrusted networks or the internet. Apply SAP's recommended hardening, including the JVM-wide deserialization filter (jdk.serialFilter) referenced in public reporting, and monitor SAP NetWeaver systems for suspicious activity targeting RMI-P4/deserialization paths.

Remediation

Patch, then assume compromise.

Apply SAP's security updates for CVE-2025-42944 and any subsequent updated SAP Security Notes addressing this issue. The provided content references SAP Security Note 3634501 and later hardening/update guidance, including an October 2025 update and Security Note 3660659 adding further protections. Ensure the latest vendor-provided fixes and follow-up hardening measures are installed, not only the initial patch.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

ACTIVITY FEED

Recent activity

49 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

49 SOURCESView more in app

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

A critical deserialization vulnerability in SAP NetWeaver that can enable unauthenticated attacks (per the content snippet).

securityaffairsNews

Nov 11, 2025

SAP fixed a maximum severity flaw in SQL Anywhere Monitor

A critical insecure deserialization vulnerability in SAP NetWeaver AS Java, addressed by security hardening.

bleeping computerNews

Nov 11, 2025

SAP fixes hardcoded credentials flaw in SQL Anywhere Monitor

A critical vulnerability in SAP NetWeaver, addressed with updates in November 2025. Specific technical details are not provided in the content.

the hacker newsNews

Oct 15, 2025

New SAP NetWeaver Bug Lets Attackers Take Over Servers Without Login

A maximum-severity insecure deserialization vulnerability in SAP NetWeaver AS Java that allows unauthenticated attackers to execute arbitrary OS commands via the RMI-P4 module.

+7 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity37

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-42944

NVD

nvd.nist.gov/vuln/detail/CVE-2025-42944

MITRE CWE · CWE-502

Deserialization of Untrusted Data

me.sap.com

me.sap.com/notes/3634501

me.sap.com

me.sap.com/notes/3660659

me.sap.com

me.sap.com/notes/3670067

url.sap

url.sap/sapsecuritypatchday