CVE-2025-30012
CRITICALSAP Supplier Relationship Management - Unauthenticated Remote Code Execution via Live Auction Cockpit Deserialization
Title source: llmDescription
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. The servlet will then decode this malicious request which will result in deserialization of data in the application leading to execution of arbitrary OS command on target as SAP Administrator. This vulnerability has High impact on confidentiality, integrity, and availability of the application.
References (2)
Core 2
Core References
Permissions Required
https://me.sap.com/notes/3578900
Not Applicable
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
10.0
EPSS
0.0177
EPSS Percentile
82.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-502
Status
published
Products (1)
sap/supplier_relationship_management
7.14
Published
May 13, 2025
Tracked Since
Feb 18, 2026