CVE-2025-42944

CRITICAL

SAP NetWeaver - Unauthenticated Remote Code Execution via RMI-P4 Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-42944. PoCs published by rxerium.

AI-analyzed exploit summary This repository provides a Nuclei template for detecting SAP NetWeaver Application Server instances vulnerable to CVE-2025-42944, a deserialization flaw in the RMI-P4 module. It identifies vulnerable versions (7.50 or below) via server headers and regex matching.

Description

Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application's confidentiality, integrity, and availability.

Exploits (1)

nomisec SCANNER
by rxerium · poc
https://github.com/rxerium/CVE-2025-42944

This repository provides a Nuclei template for detecting SAP NetWeaver Application Server instances vulnerable to CVE-2025-42944, a deserialization flaw in the RMI-P4 module. It identifies vulnerable versions (7.50 or below) via server headers and regex matching.

Classification
Scanner 90%
Attack Type
Deserialization
Complexity
Trivial
Reliability
Reliable
Target: SAP NetWeaver Application Server <= 7.50
No auth needed
Prerequisites: Access to the target SAP NetWeaver instance · Open RMI-P4 port
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 10.0
EPSS 0.0288
EPSS Percentile 85.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-502
Status published
Products (1)
SAP_SE/SAP Netweaver (RMI-P4) SERVERCORE 7.50
Published Sep 09, 2025
Tracked Since Feb 18, 2026