← back
CVE-2025-42944

Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4)

CVSS 10 CRITICALEPSS 2.9%CWE-502
Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application's confidentiality, integrity, and availability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
SAP_SE · SAP Netweaver (RMI-P4)
public PoCs found1
githubgithub.com/rxerium/CVE-2025-429440
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://me.sap.com/notes/3634501https://me.sap.com/notes/3660659https://me.sap.com/notes/3670067https://url.sap/sapsecuritypatchday