The RMI code supports a disused protocol called the "multiplex" protocol. This was removed by JDK-4183204 in JDK 1.2.2. More history is in JDK-4257730. The latter bug comments indicate that the multiplex protocol was implemented in order to solve a problem that existed in JDK 1.0.2 but that it was no longer necessary and was considered "deprecated" by JDK 1.2.2.
JDK-4183204 removed client initiation of the multiplex protocol but server side support still exists and can probably be exercised. This is a potential security risk.
An initial step would be simply to disable the multiplex protocol processing so that the old code will no longer be invoked. Done in 8158963 for JDK 9.
A second step would be to remove the multiplex support entirely.