CVE-2025-42944

CriticalRCE

Published: 09 September 2025

Published

09 September 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0016 35.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-42944 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Sap (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation by applying SAP patches that directly fix the deserialization vulnerability in the RMI-P4 module.

SC-7 Boundary Protection good match

prevent

Enforces boundary protections such as firewalls to restrict unauthenticated network access to the exposed RMI-P4 port.

CM-7 Least Functionality good match

prevent

Limits system to least functionality by disabling unnecessary services like the RMI-P4 module, preventing exposure of the vulnerable port.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Remote unauthenticated deserialization RCE in public-facing SAP service directly enables T1190 exploitation and OS command execution via T1059.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command…

execution, posing a high impact to the application's confidentiality, integrity, and availability.

Deeper analysisAI

CVE-2025-42944 is a critical deserialization vulnerability (CWE-502) affecting SAP NetWeaver, specifically in the RMI-P4 module. Published on September 9, 2025, it allows the deserialization of untrusted Java objects when a malicious payload is submitted to an open port, potentially leading to arbitrary operating system command execution. The vulnerability has a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating maximum severity due to its network accessibility, low complexity, and high impacts on confidentiality, integrity, and availability.

An unauthenticated attacker can exploit this vulnerability remotely over the network without user interaction or privileges by sending a crafted payload to the exposed RMI-P4 port on vulnerable SAP NetWeaver systems. Successful exploitation grants the attacker the ability to execute arbitrary OS commands with the privileges of the SAP process, enabling full system compromise including data exfiltration, modification, or disruption.

SAP has addressed the issue through security notes 3634501, 3660659, and 3670067, which provide patches and mitigation guidance, as detailed on the SAP Security Patch Day page at https://url.sap/sapsecuritypatchday. Security practitioners should apply these updates promptly to exposed NetWeaver instances and restrict access to the RMI-P4 port where possible.