3634501 - [CVE-2025-42944] Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4)

Symptom

Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application's confidentiality, integrity, and availability.

Change Log:

v38 (Current Version)  - UPDATE 12th September 2025: This note has been re-released with updated instructions in the 'Workaround' section.

v34 (Previous Version) - UPDATE 10th September 2025: This note has been re-released with updated instructions in the 'Workaround' section.

v33 (Initial Version released to customers)

Other Terms

OS command execution, Remote Code Execution, Insecure Deserialization, CVE-2025-42944

Reason and Prerequisites

Insecure Deserialization of untrusted or malicious content

Solution

The issue was resolved by updating the affected P4-Lib component to enforce secure deserialization handling and restrict the acceptance of untrusted Java objects via the RMI-P4 module.

Please implement the patches listed in the "Support Packages & Patches" section of this SAP Security Note. Note that the prerequisite to apply this patch is that a Java virtual Machine with java version greater than Java 8 u121 (April 18, 2017) must be in place. Please update JVM if needed: Note 2695197

To avoid incompatibilities on the system, please check SAP Note 1974464 (Information on SCA Dependency Analysis for Java download objects) before applying the update.

• For additional information or questions regarding the patch, see 3637718.

 

Workaround

If your system is already isolated on network level and P4 and P4S ports are not accessible by insecure networks, then the workaround is already in place and you can skip the below information.

Please assess the workaround applicability for your SAP landscape prior to implementation.
This only affects AS Java (where ICM is used), not Web Dispatcher(WD) as web dispatcher itself doesn't support P4/P4S protocol - it doesn't open P4/P4S ports.

Note that this workaround has to be applied only when/while a patch/SP Update is not possible. SAP strongly recommends you apply the corrections outlined in the security note, which can be done in lieu of the workaround or after the workaround is implemented. The workaround can be rolled-back after patch/SP update is applied if needed.

The workaround involves ensuring that your system is properly isolated at the network level, with the P4/P4S ports only listening on IP addresses from your internal network. If P4/P4S is exposed with public access, you need to be cautious and apply additional security measures.

If you need client IP filtering, https://help.sap.com/docs/ABAP_PLATFORM_NEW/683d6a1797a34730a6e005d1e8de6f22/0c39b84c3afe4d2d9f9f887a32914ecd.html?locale=en-US - this is applicable only for P4 and P4S.

Steps to execute:

1. Ensure only trusted systems are reachable on this interface through network-level controls (e.g., firewall rules).

2. Plan and schedule a patch or SP update as soon as possible to eliminate the underlying vulnerability.

The workaround involves any network configurations that can limit the visibility of P4/P4S port. You can test with telnet <ASJ_host> <p4_port i.e. 50004> from an outside network to see if it is reachable. You can check SAP MMC -> Access Points to see on which IPs P4/P4S port is listening. Involve your network/OS administrator to check and configure the setup.
Note: Implementing the workaround should be considered carefully when there are P4 clients such as SUM, Solution Manager, IB, and others.