CVE-2025-30012

Name of the Vulnerable Software and Affected Versions SAP Supplier Relationship Management (SRM) versions prior to July 2025 patch SAP SRM Live Auction Cockpit version 7.14

Description The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) utilizes a deprecated Java applet component that is susceptible to accepting binary Java objects in a specific encoding format. Successful exploitation by an unauthenticated attacker could allow the sending of malicious payload requests, leading to deserialization of data within the application and potential execution of arbitrary OS commands with SAP Administrator privileges. The vulnerability poses a high impact on the confidentiality, integrity, and availability of the application. While some reports indicate a low impact, other sources report a critical impact with a CVSS score of 10.0. The vulnerability allows for complete system compromise through deserialization.

API Endpoints: Not specified. Vulnerable Parameters or Variables: Not specified. Function Names: Not specified.

Recommendations For SAP SRM versions prior to July 2025 patch, apply the July 2025 security patches. For SAP SRM Live Auction Cockpit version 7.14, apply the July 2025 security patches and disable Java applets.