Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application's confidentiality, integrity, and availability.
An attacker sends a malicious payload containing untrusted Java objects to an open port handled by the RMI-P4 module in SAP NetWeaver. The server deserializes the submitted data without prior user authentication, allowing embedded code execution. As a result of deserialization of untrusted Java objects, it is possible to achieve full arbitrary OS command execution. The attack does not require any permissions or user interaction, and its scope extends beyond the application itself (S:C in the CVSS vector).
An attacker can gain full control over the server operating system — read, modify and destroy data, and disrupt service availability, which means a complete breach of confidentiality, integrity and availability of the SAP NetWeaver system.
Patches available from the vendor must be applied immediately in accordance with SAP Security Notes 3634501, 3660659 and 3670067 (available at me.sap.com). Additionally, it is recommended to restrict network access to RMI-P4 ports exclusively to trusted hosts via firewall and to monitor network traffic on these ports until patches are deployed.
SAP NetWeaver with active RMI-P4 module with accessible network port; specific product versions indicated in vendor references (SAP Security Notes: 3634501, 3660659, 3670067)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H