On September 9, 2025, SAP released its September 2025 Security Patch Day update with patches for 21 vulnerabilities.
The most severe of these, CVE-2025-42944, is a maximum-severity deserialization vulnerability of untrusted Java objects in SAP NetWeaver that resides in the RMI-RP4 module. A remote unauthenticated threat actor can exploit this vulnerability by submitting a malicious payload to an open port to achieve arbitrary OS command execution.
Arctic Wolf has not observed exploitation of CVE-2025-42944 or identified a publicly available proof of concept at this time. However, SAP products remain attractive targets for threat actors since they manage critical business functions (e.g., finance, HR, supply chain, and logistics) and often store highly sensitive data. Notably, in April, threat actors exploited another maximum-severity vulnerability in SAP NetWeaver (CVE-2025-31324), underscoring the continued interest in targeting SAP systems.
Recommendations for CVE-2025-42944
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| SAP NetWeaver (RMI-P4) | SERVERCORE 7.50 | Patch for 7.50 |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
References
