CVE-2025-30009 is a medium-severity vulnerability identified in the Live Auction Cockpit component of SAP Supplier Relationship Management (SRM) version 7.14. The vulnerability is classified under CWE-79, which corresponds to Cross-Site Scripting (XSS) due to improper neutralization of input during web page generation. Specifically, the Live Auction Cockpit uses a deprecated Java applet component that fails to properly sanitize user input, allowing an unauthenticated attacker to inject and execute malicious scripts in the context of a victim's browser session. This vulnerability does not require any prior authentication, making it accessible to remote attackers over the network. The CVSS 3.1 base score is 6.1, reflecting a medium severity level, with attack vector being network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability affects resources beyond the security scope of the vulnerable component. The impact is limited to confidentiality and integrity within the victim’s browser session, with no direct impact on the availability of the SAP SRM application itself. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability arises from the use of outdated Java applet technology, which is inherently insecure and deprecated in modern web environments, increasing the risk of exploitation through client-side script injection. Attackers leveraging this vulnerability could perform actions such as session hijacking, credential theft, or unauthorized actions within the victim’s browser session, potentially leading to further compromise of user accounts or sensitive data accessible via the browser interface.

For European organizations using SAP Supplier Relationship Management 7.14 with the Live Auction Cockpit, this vulnerability poses a significant risk primarily to the confidentiality and integrity of user sessions. Since the attack vector is remote and unauthenticated, any user accessing the vulnerable component could be targeted via crafted malicious links or web pages that trigger the XSS payload. This could lead to theft of session cookies, unauthorized actions performed on behalf of users, or exposure of sensitive procurement and supplier data managed through the SRM platform. Although availability of the SAP system is not affected, the compromise of user sessions can disrupt business processes, damage trust, and potentially lead to financial losses or regulatory non-compliance under GDPR if personal or sensitive data is exposed. The use of deprecated Java applets also suggests that affected organizations may be running legacy systems that could be vulnerable to other security issues, increasing overall risk. Additionally, the scope change in the CVSS vector indicates that the impact could extend beyond the immediate component, potentially affecting other integrated SAP modules or connected systems if session tokens or credentials are compromised.

1. Immediate mitigation should involve disabling or restricting access to the Live Auction Cockpit component until a patch is available. 2. Implement strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing the SAP SRM system. 3. Employ web application firewalls (WAFs) with custom rules to detect and block malicious input patterns targeting the vulnerable Java applet. 4. Educate users to avoid clicking on suspicious links or opening untrusted content while using the SAP SRM platform. 5. Monitor logs and network traffic for unusual activity indicative of attempted exploitation, such as anomalous script execution or session anomalies. 6. Plan and prioritize upgrading or migrating away from deprecated Java applet components to modern, secure web technologies. 7. Once SAP releases an official patch or update, apply it promptly and verify the remediation through security testing. 8. Review and enhance input validation and output encoding practices in custom SAP extensions or integrations to prevent similar XSS issues. 9. Consider implementing multi-factor authentication (MFA) for SAP SRM access to reduce the impact of session hijacking attempts.