The reported security threat centers on a severe deserialization vulnerability in SAP NetWeaver AS Java, tracked as CVE-2025-42944, with a maximum CVSS score of 10.0. This vulnerability arises from insecure deserialization of untrusted Java objects via the RMI-P4 module, which listens on an open port. An unauthenticated attacker can submit malicious serialized payloads to this module, triggering arbitrary operating system command execution on the server hosting SAP NetWeaver. This compromises the confidentiality, integrity, and availability of the affected systems. SAP initially patched this vulnerability but has since released additional hardening measures, including implementing a JVM-wide serialization filter (jdk.serialFilter) to block deserialization of dangerous classes and packages, reducing the risk of gadget chain exploitation. Besides CVE-2025-42944, SAP also patched other critical vulnerabilities: CVE-2025-42937, a directory traversal flaw in SAP Print Service allowing unauthenticated attackers to overwrite system files, and CVE-2025-42910, an unrestricted file upload vulnerability in SAP Supplier Relationship Management that could lead to arbitrary file execution. Although no active exploitation has been observed, the combination of high severity, ease of exploitation without authentication, and the critical nature of SAP systems in enterprises makes this a significant threat. The deserialization flaw is particularly dangerous because it allows attackers to bypass authentication entirely and execute arbitrary commands, potentially leading to full system compromise. The patches and JVM serialization filters represent a layered defense approach, addressing both the vulnerability and its exploitation vectors. Organizations running SAP NetWeaver AS Java and related SAP products must prioritize patching and configuration changes to mitigate this threat effectively.

For European organizations, the impact of this vulnerability is substantial. SAP NetWeaver is widely used across various industries including manufacturing, finance, utilities, and public sector entities in Europe. Successful exploitation could lead to complete server takeover, data breaches involving sensitive corporate and personal data, disruption of critical business processes, and potential compliance violations under GDPR due to unauthorized data access. The arbitrary command execution capability means attackers could deploy ransomware, exfiltrate data, or pivot within networks, causing widespread operational and reputational damage. The directory traversal and file upload vulnerabilities in other SAP components further increase the attack surface, potentially allowing attackers to overwrite critical files or upload malicious executables. Given the critical role SAP systems play in European enterprises and government agencies, the threat could disrupt essential services and supply chains. The lack of authentication requirement and remote exploitability increase the risk of automated attacks and wormable exploits, amplifying potential damage. Organizations with exposed SAP NetWeaver instances or insufficient network segmentation are particularly vulnerable. The threat also poses risks to managed service providers and cloud environments hosting SAP workloads in Europe, potentially affecting multiple customers simultaneously.

European organizations should immediately apply the latest SAP security patches addressing CVE-2025-42944 and related vulnerabilities. Beyond patching, enable and configure the JVM-wide serialization filter (jdk.serialFilter) as recommended by SAP and security researchers to block deserialization of unsafe classes and packages, reducing the risk of gadget chain exploitation. Conduct thorough network scans to identify exposed SAP NetWeaver AS Java RMI-P4 ports and restrict access using firewalls or network segmentation to trusted management networks only. Implement strict monitoring and alerting on SAP system logs and network traffic for unusual deserialization attempts or command execution indicators. Regularly audit SAP system configurations to ensure no unnecessary services or open ports are exposed externally. Employ application-layer firewalls or runtime application self-protection (RASP) solutions that can detect and block deserialization attacks. Educate SAP administrators and security teams on the risks of insecure deserialization and the importance of timely patch management. Integrate SAP vulnerability management into broader enterprise vulnerability and patch management programs with accelerated timelines. Finally, maintain offline backups and incident response plans tailored to SAP environments to enable rapid recovery in case of compromise.