Full Report
SAP has addressed 21 new vulnerabilities affecting its products, including three critical severity issues impacting the NetWeaver software solution. [...]
Analysis Summary
# Vulnerability: Maximum Severity Arbitrary OS Command Execution in SAP NetWeaver
## CVE Details
- CVE ID: CVE-2025-42944
- CVSS Score: 10.0 (Critical)
- CWE: Insecure Deserialization
## Affected Systems
- Products: SAP NetWeaver (RMIP4), ServerCore
- Versions: 7.50 (Note: This is the version specified in context of the vulnerable component)
- Configurations: Systems utilizing the RMI-P4 module/open P4 port. Exposure of the P4 port to wider networks or the internet increases risk.
## Vulnerability Description
The vulnerability is an **insecure deserialization flaw** residing in the SAP NetWeaver (RMIP4) ServerCore 7.50 component, specifically within the RMI-P4 module. An unauthenticated remote attacker can exploit this by sending a malicious Java object through the open RMI-P4 port, leading to **arbitrary OS command execution** on the affected system.
## Exploitation
- Status: Not explicitly stated as exploited in the wild for this specific CVE, but context indicates a high likelihood given the severity and nature of recent SAP targeting.
- Complexity: Low (Unauthenticated, network-based attack targeting an open port).
- Attack Vector: Network
## Impact
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
The vulnerability is addressed in SAP's September 2025 security bulletin. Specific notes must be consulted via a SAP account:
- Patch Note Reference 1: `3634501` (Likely applies to CVE-2025-42944)
### Workarounds
The provided text does not explicitly list workarounds for CVE-2025-42944, but strongly implies that patching is the primary immediate action. Restricting network access to the P4 port could act as a temporary mitigation if patching is delayed.
## Detection
- Indicators of compromise would involve unexpected system processes initiated from the NetWeaver service host or unusual outbound network connections originating from the SAP application server.
- Detection methods should focus on monitoring network traffic targeted at the RMI-P4 port (often 50000+) for serialized Java object payloads, and monitoring for execution of unexpected OS commands by the NetWeaver service account.
## References
- Vendor Advisory/Security Bulletin: SAP September 2025 Security Bulletin
- Patch Reference 1: `https://me.sap.com/notes/3634501` (Defanged)
- Patch Reference 2: `https://me.sap.com/notes/3643865` (Defanged)
- Patch Reference 3: `https://me.sap.com/notes/3627373` (Defanged)
---
***Note: The article also detailed other critical/high vulnerabilities (CVE-2025-42922, CVE-2025-42958, CVE-2025-42933, CVE-2025-42929, CVE-2025-42916) which should be addressed by consulting the full SAP security bulletin.***