Critical Vulnerability in SAP Netweaver (CVE-2025-42944)
Executive Summary
On September 9th, SAP released an advisory describing several vulnerabilities across multiple SAP platforms. Among these was CVE-2025-42944 (CVSS 10.0), which affects SAP NetWeaver Application Server. This vulnerability involves insecure deserialization and may permit unauthorized remote code execution on target systems.
SAP NetWeaver functions as the core software stack for many of SAP’s application suites and is commonly configured for internet accessibility. If compromised, attackers could exfiltrate extremely sensitive information typically hosted or processed by the SAP software suite or could provide attackers with initial access to internal networks of affected organizations.
At the time of writing, there were no in-depth technical details of the vulnerability provided, no known proof-of concept exploit code available, and no publicly reported cases of exploits leveraging this vulnerability in the wild. However, software fixes for the vulnerability were made available, and Beazley Security expects threat actors to study the patches and deploy weaponized exploits in the coming days and weeks. Given the sensitive nature of SAP powered systems, Beazley Security strongly recommends affected organizations should update their systems as soon as possible.
Affected Systems or Products
Mitigations / Workarounds
SAP has not provided or recommended any mitigations or workarounds for CVE-2025-42944.
Patches
Security fixes have been made available through the normal update channels. More information can be found on their support portal.
Technical Details
The technical details underlying the software bug responsible for CVE-2025-42944 have not been made publicly available; however, vulnerabilities involving insecure deserialization are well documented. Such flaws permit threat actors to introduce malicious data into internal systems. Depending on the implementation and system configuration, this can potentially result in remote code execution (RCE), as seen in CVE-2025-42944.
In many system-to-system applications, a program will often need to send a logical object over the network to a separate remote program for processing. Serialization is the process of encoding an object so that it may be sent through a network to another program, and deserialization is a reversal of that process so that the receiving program can process the data. If this is not securely implemented, threat actors can send malicious logical objects to get processed by target applications.
In the case of CVE-2025-42944, the targeted application was the RMI-P4 protocol. RMI-P4 is a proprietary SAP protocol used mainly between SAP applications, and more documentation can be found here.
How Beazley Security is Responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
Sources
Aware of an incident impacting your industry? Let us know: