New SAP NetWeaver AS Java CVE-2025-42944: Critical Insecure Deserialization Enables Pre-Auth Takeover via RMI-P4

Introduction: what happened and why it matters

SAP has released fixes and additional hardening for a maximum-severity (CVSS 10.0) vulnerability in SAP NetWeaver AS Java: CVE-2025-42944. The flaw is an insecure deserialization issue reachable without authentication through the RMI-P4 interface, allowing arbitrary OS command execution and full application compromise. On October 14, 2025 (SAP Patch Day), SAP also shipped an extra hardening note that adds a JVM-wide deserialization filter to reduce exploitation risk.

In brief

• Product/Component: SAP NetWeaver AS Java (ServerCore 7.50), RMI-P4.
• Identifier/Severity: CVE-2025-42944, CVSS 10.0 (critical).
• Attack surface: Network-exposed RMI-P4 port; no login required.
• Impact: Arbitrary command execution → full takeover of SAP Java stack and underlying host.
• Status (as of Oct 16, 2025): Patched; SAP issued initial fix in September and additional hardening in October. No confirmed in-the-wild exploitation disclosed yet.

Context: timeline and related notes

• Sep 8–9, 2025: CVE record published; SAP’s September Patch Day ships a HotNews note addressing the deserialization flaw in AS Java (note #3634501).
• Oct 14, 2025: SAP’s October Patch Day adds Security Note #3660659 to harden deserialization by enforcing a JVM-wide jdk.serialFilter policy; three additional critical issues (directory traversal in SAP Print Service – CVE-2025-42937, unrestricted file upload in SAP SRM – CVE-2025-42910) are also patched.
• Oct 15, 2025: Public reporting highlights the risk and the importance of applying both the original fix and the new hardening.

Technical analysis: how CVE-2025-42944 works

RMI-P4 exposure. The NetWeaver AS Java stack exposes a proprietary RMI-P4 service. By sending a crafted, serialized Java payload to the listening port, an attacker can trigger deserialization of untrusted objects, pivot to a gadget chain, and execute arbitrary OS commands in the SAP Java context. Because the endpoint is reachable pre-auth, Internet-exposed or flat network deployments are at the highest risk.

JVM-level hardening. SAP’s October hardening note introduces a JVM-wide jdk.serialFilter to blocklisted classes/packages, reducing the set of gadgets that can be deserialized across the platform. Onapsis confirms collaboration with SAP on defining mandatory and optional filter lists and describes validation steps to ensure the filter is correctly applied. This is an extra layer in addition to the September code fixes.

Other critical notes in the bundle.

• CVE-2025-42937 (SAP Print Service): unauthenticated directory traversal → overwrite system files. CVSS 9.8.
• CVE-2025-42910 (SAP SRM): unrestricted file upload → arbitrary file/malware upload. CVSS 9.0.

Practical consequences and risk scenarios

• Complete application compromise: Command execution lets attackers deploy web shells, manipulate SAP Java services, exfiltrate credentials/secrets, and move laterally to connected ABAP/BW/HANA systems.
• Business disruption: Potential to interrupt critical workflows (finance, procurement, manufacturing) and impact uptime/SLAs.
• Compliance exposure: Unauthorized access to regulated data (PII, financials) can trigger audit findings and fines.

Industry watchers emphasize that the P4/RMI chain remains a recurring weak point in AS Java; SAP responded with a direct fix + hardened JVM configuration to curb gadget-class abuse.

What to do now: operational recommendations

Patch sequencing (do all):

1. Apply both SAP Security Notes for CVE-2025-42944: September #3634501 (core fix) and October #3660659 (JVM serial filter). Verify implementation on all AS Java systems (prod, QA, dev).
2. In the same window, patch CVE-2025-42937 (Print Service) and CVE-2025-42910 (SRM) if present in your estate.

Configuration & hardening:

• Enable and validate jdk.serialFilter as per SAP’s October note; confirm filter syntax and version prerequisites (NetWeaver & JVM) and test against mandatory/optional block lists.
• Restrict RMI-P4 exposure:
  • Bind RMI-P4 to internal interfaces; block from the Internet.
  • Enforce network segmentation and ACLs between user subnets and SAP admin ports.
  • Monitor for unexpected inbound traffic to RMI-P4.
• Detection & response:
  • Create SIEM detections for anomalous RMI-P4 connections and Java process spawns (e.g., cmd.exe, /bin/sh) under SAP JVM.
  • Hunt for serialized payload artifacts and suspicious .class/JAR writes in AS Java temp/work directories. (Derived from typical deserialization TTPs; align with your EDR rules.)
• Asset inventory: Quickly enumerate all AS Java instances (including older sandboxes) and reconcile against patch/serialFilter status. Onapsis notes automated checks can validate correct filter setup.

Compensating controls (if patching is delayed):

• Temporarily disable or firewall RMI-P4 where operationally feasible.
• Web App Firewalls / reverse proxies won’t reliably block serialized payloads—treat as defense-in-depth only. (General deserialization guidance corroborated by vendor advisories.)

How this compares to other recent SAP issues

Unlike typical authZ bypass or CSRF flaws in ABAP/Fiori (Medium severity), CVE-2025-42944 is pre-auth remote code execution on the Java side with a CVSS of 10.0—placing it in the top tier of SAP risks this year. SAP also fixed directory traversal in Print Service (9.8) and file upload in SRM (9.0) in the same cycle, but neither combines the same level of reachability and impact as a deserialization-based RCE.

Summary / key takeaways

• CVE-2025-42944 enables unauthenticated RCE via RMI-P4 in NetWeaver AS Java; patch + harden immediately.
• Apply two notes: the September fix and the October JVM serialFilter hardening; verify filters are correctly enforced.
• Reduce exposure of admin/remote ports and watch for deserialization TTPs in your SAP telemetry.
• Address other critical notes from October (Print Service, SRM) during the same change window.

Sources / bibliography

1. SAP Security Patch Day – October 2025 (official): notes list incl. #3660659, #3630595, #3647332 and CVE mappings. (support.sap.com)
2. CVE-2025-42944 (CVE.org / NVD): vulnerability description and pre-auth RMI-P4 vector, CVSS 10.0. (CVE)
3. Onapsis analysis: details of the JVM-wide jdk.serialFilter hardening, validation approach, and note cross-references. (Onapsis)
4. The Hacker News report (Oct 15, 2025): public write-up summarizing SAP’s fixes and added hardening; no exploitation observed at publication. (The Hacker News)
5. Pathlock Patch Day brief: commentary on the P4/RMI chain as continued exposure and need for hardened JVM configuration. (Pathlock)