Executive Summary

A newly disclosed critical vulnerability in SAP NetWeaver AS Java (CVE-2025-42944, CVSS 10.0) enables unauthenticated attackers to execute arbitrary operating system commands and potentially seize full control of affected servers—without requiring any login credentials. The flaw, which resides in the RMI-P4 module due to insecure deserialization, is already the subject of active discussion in the global security community. Public exploit code is available, and multiple security vendors have confirmed exploitation attempts in the wild. Organizations running vulnerable SAP NetWeaver instances are at immediate risk of compromise, data theft, and operational disruption. Rapid remediation is essential to prevent potentially catastrophic business impact.

Threat Actor Profile

As of this report, there is no confirmed attribution to specific nation-state Advanced Persistent Threat (APT) groups. However, the criticality and ease of exploitation have made CVE-2025-42944 highly attractive to financially motivated cybercriminals and ransomware operators. Security analysts anticipate that APT groups will incorporate this exploit into their toolkits, given the strategic value of SAP NetWeaver in enterprise environments. The vulnerability is being actively discussed in both criminal and security research communities, and its exploitation is expected to proliferate rapidly.

Technical Analysis of Malware/TTPs

CVE-2025-42944 is a remote code execution vulnerability affecting the RMI-P4 module of SAP NetWeaver AS Java. The vulnerability is classified as insecure deserialization (CWE-502), a flaw that occurs when untrusted data is deserialized by a Java application, allowing attackers to inject malicious objects that can trigger arbitrary code execution.

The attack vector is network-based and does not require authentication. An attacker can send a specially crafted Java object to the RMI-P4 service, typically listening on TCP port 50004. When the vulnerable service deserializes this object, attacker-controlled code is executed in the context of the SAP NetWeaver process. This can result in full system compromise, including the ability to deploy webshells, exfiltrate sensitive data, manipulate business processes, or pivot deeper into the enterprise network.

The vulnerability is particularly severe because the RMI-P4 interface is often exposed to internal networks and, in some misconfigured environments, to the internet. The attack surface is further amplified by the prevalence of SAP NetWeaver in critical business operations across finance, manufacturing, government, and other sectors.

Technical analysis by Onapsis and TXOne reveals that exploitation is straightforward and does not require advanced skills. The attacker crafts a serialized Java payload using open-source tools such as ysoserial and transmits it to the RMI-P4 endpoint. Upon deserialization, the payload can execute arbitrary shell commands, download and install malware, or create persistent backdoors.

The vulnerability is mitigated in the latest SAP Security Note 3634501, which provides patches and configuration guidance. SAP also recommends implementing JVM-wide deserialization filters (via the jdk.serialFilter property) and maintaining strict allow/block lists for deserializable classes.

Exploitation in the Wild

Exploitation of CVE-2025-42944 is not theoretical—multiple security intelligence sources confirm active attacks. Public exploit code is available on GitHub and has been referenced in security advisories and underground forums. Security researchers and vendors, including Onapsis, TXOne, and Darktrace, have observed attackers leveraging this vulnerability to deploy webshells, establish persistence, and exfiltrate data from compromised SAP NetWeaver servers.

Cybersecurity Dive reports that attackers are dropping webshell backdoors into SAP directories, enabling ongoing remote access. Security Affairs details how attackers are chaining this vulnerability with others (such as CVE-2025-42999) to achieve full system compromise and data theft. Telemetry from Onapsis and TXOne confirms a surge in scanning and exploitation attempts targeting the RMI-P4 port (50004/tcp).

Indicators of compromise include unusual inbound connections to the RMI-P4 port, creation of unauthorized files or webshells in SAP directories, and outbound connections from SAP servers to attacker-controlled infrastructure. Organizations should monitor for these IOCs and review logs for suspicious deserialization errors or command execution attempts.

Victimology and Targeting

The only confirmed affected product is SAP NetWeaver AS Java SERVERCORE 7.50, specifically the RMI-P4 module. No other versions or components are currently listed as affected for CVE-2025-42944 in official advisories or the National Vulnerability Database.

Organizations should verify their SAP landscape and ensure that any instance of SAP NetWeaver AS Java SERVERCORE 7.50 is immediately assessed and remediated. The attack surface is global, with particular risk to organizations in finance, manufacturing, government, and any sector relying on SAP NetWeaver for critical business operations.

Mitigation and Countermeasures

Immediate patching is the most effective mitigation. Organizations must apply the latest SAP security updates, with particular attention to SAP Note 3634501. This patch addresses the insecure deserialization flaw and provides updated configuration guidance.

In addition to patching, SAP and Onapsis recommend hardening the Java Virtual Machine (JVM) configuration. Administrators should implement the mandatory and optional class/package blocklists for deserialization, using the jdk.serialFilter property to restrict deserializable classes. This reduces the risk of exploitation even if a new deserialization flaw is discovered.

Continuous monitoring is essential. Security teams should monitor RMI-P4 port activity (50004/tcp) for anomalous connections, check for unauthorized file uploads or webshells, and review logs for suspicious deserialization errors or command execution attempts. Network segmentation and strict firewall rules should be enforced to limit access to the RMI-P4 service.

If immediate patching is not possible, organizations should consider temporarily disabling the RMI-P4 service or restricting access to trusted hosts only. However, these are temporary measures and do not replace the need for a comprehensive patch.

References

NVD CVE-2025-42944, SAP Security Note 3634501, SAP Security Patch Day, The Hacker News coverage, Onapsis Threat Brief, TXOne: SAP CVE-2025 Exploits in the Wild, Darktrace: Tracking CVE-2025-31324 Activity, Palo Alto Networks: Rapid Response to CVE-2025-31324, ZeroPath Blog, Cybersecurity News, Security Affairs, Cybersecurity Dive

About Rescana

Rescana empowers organizations to proactively manage third-party risk and supply chain security with our advanced TPRM platform. Our continuous monitoring, automated risk assessment, and actionable intelligence help you stay ahead of emerging threats and regulatory requirements. We are committed to supporting your security team with timely, relevant, and actionable threat intelligence.

If you have any questions about this advisory or need further assistance, we are happy to help at ops@rescana.com.