Skip to main content

CVE-2025-30012: CWE-502: Deserialization of Untrusted Data in SAP_SE SAP Supplier Relationship Management (Live Auction Cockpit)

Critical
VulnerabilityCVE-2025-30012cvecve-2025-30012cwe-502
Published: Tue May 13 2025 (05/13/2025, 00:14:21 UTC)
Source: CVE
Vendor/Project: SAP_SE
Product: SAP Supplier Relationship Management (Live Auction Cockpit)

Description

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. The servlet will then decode this malicious request which will result in deserialization of data in the application leading to execution of arbitrary OS command on target as SAP Administrator. This vulnerability has High impact on confidentiality, integrity, and availability of the application.

AI-Powered Analysis

AILast updated: 07/25/2025, 00:41:09 UTC

Technical Analysis

CVE-2025-30012 is a critical vulnerability affecting SAP Supplier Relationship Management (SRM) version 7.14, specifically within the Live Auction Cockpit component. This vulnerability arises from the use of a deprecated Java applet that processes incoming requests in a specific encoded format. An unauthenticated attacker can exploit this flaw by sending a maliciously crafted payload to the vulnerable servlet. The servlet decodes this payload and performs deserialization of untrusted data, which leads to arbitrary operating system command execution with SAP Administrator privileges. This means the attacker gains full control over the affected SAP SRM system without requiring any authentication or user interaction. The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data), which is a common and dangerous security flaw that allows attackers to manipulate serialized objects to execute malicious code. The CVSS v3.1 base score is 10.0, reflecting the highest severity level, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and a scope change (S:C) indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality, integrity, and availability is high, as arbitrary OS command execution can lead to data theft, system manipulation, and service disruption. No patches or mitigations are currently linked, and no known exploits are reported in the wild yet, but the critical nature and ease of exploitation make this a significant threat to organizations using SAP SRM 7.14.

Potential Impact

For European organizations relying on SAP Supplier Relationship Management 7.14, this vulnerability poses a severe risk. The ability for an unauthenticated attacker to execute arbitrary OS commands as an SAP Administrator could lead to complete compromise of the SRM system, which is often integral to procurement and supplier management processes. This could result in unauthorized access to sensitive supplier and contract data, manipulation or disruption of procurement workflows, and potential supply chain sabotage. The confidentiality breach could expose sensitive business information, while integrity and availability impacts could disrupt critical business operations, causing financial loss and reputational damage. Given the critical role of SAP SRM in many large enterprises and public sector organizations across Europe, exploitation could have cascading effects on supply chain security and operational continuity. Additionally, the lack of authentication and user interaction requirements lowers the barrier for attackers, increasing the likelihood of exploitation attempts. Organizations in sectors such as manufacturing, automotive, pharmaceuticals, and government, which heavily depend on SAP SRM, are particularly at risk.

Mitigation Recommendations

1. Immediate mitigation should include isolating the SAP SRM 7.14 Live Auction Cockpit component from external network access to prevent unauthenticated exploitation. 2. Implement strict network-level access controls and firewall rules to restrict access to the vulnerable servlet only to trusted internal systems and users. 3. Disable or remove the deprecated Java applet component if possible, or disable the Live Auction Cockpit functionality until a vendor patch is available. 4. Monitor SAP system logs and network traffic for unusual or suspicious requests targeting the Live Auction Cockpit servlet, especially those containing encoded payloads. 5. Employ application-layer intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics to detect deserialization attack patterns. 6. Engage with SAP support and subscribe to SAP security advisories to obtain and apply patches or official mitigations as soon as they are released. 7. Conduct thorough security assessments and penetration tests focusing on SAP SRM components to identify any exploitation attempts or residual vulnerabilities. 8. Educate SAP administrators and security teams about this vulnerability to ensure rapid detection and response capabilities.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
sap
Date Reserved
2025-03-13T18:03:35.488Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d9815c4522896dcbd64ad

Added to database: 5/21/2025, 9:08:37 AM

Last enriched: 7/25/2025, 12:41:09 AM

Last updated: 8/18/2025, 1:22:23 AM

Views: 34

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats