CVE-2025-30012 is a critical vulnerability affecting SAP Supplier Relationship Management (SRM) version 7.14, specifically within the Live Auction Cockpit component. This vulnerability arises from the use of a deprecated Java applet that processes incoming requests in a specific encoded format. An unauthenticated attacker can exploit this flaw by sending a maliciously crafted payload to the vulnerable servlet. The servlet decodes this payload and performs deserialization of untrusted data, which leads to arbitrary operating system command execution with SAP Administrator privileges. This means the attacker gains full control over the affected SAP SRM system without requiring any authentication or user interaction. The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data), which is a common and dangerous security flaw that allows attackers to manipulate serialized objects to execute malicious code. The CVSS v3.1 base score is 10.0, reflecting the highest severity level, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and a scope change (S:C) indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality, integrity, and availability is high, as arbitrary OS command execution can lead to data theft, system manipulation, and service disruption. No patches or mitigations are currently linked, and no known exploits are reported in the wild yet, but the critical nature and ease of exploitation make this a significant threat to organizations using SAP SRM 7.14.

For European organizations relying on SAP Supplier Relationship Management 7.14, this vulnerability poses a severe risk. The ability for an unauthenticated attacker to execute arbitrary OS commands as an SAP Administrator could lead to complete compromise of the SRM system, which is often integral to procurement and supplier management processes. This could result in unauthorized access to sensitive supplier and contract data, manipulation or disruption of procurement workflows, and potential supply chain sabotage. The confidentiality breach could expose sensitive business information, while integrity and availability impacts could disrupt critical business operations, causing financial loss and reputational damage. Given the critical role of SAP SRM in many large enterprises and public sector organizations across Europe, exploitation could have cascading effects on supply chain security and operational continuity. Additionally, the lack of authentication and user interaction requirements lowers the barrier for attackers, increasing the likelihood of exploitation attempts. Organizations in sectors such as manufacturing, automotive, pharmaceuticals, and government, which heavily depend on SAP SRM, are particularly at risk.

1. Immediate mitigation should include isolating the SAP SRM 7.14 Live Auction Cockpit component from external network access to prevent unauthenticated exploitation. 2. Implement strict network-level access controls and firewall rules to restrict access to the vulnerable servlet only to trusted internal systems and users. 3. Disable or remove the deprecated Java applet component if possible, or disable the Live Auction Cockpit functionality until a vendor patch is available. 4. Monitor SAP system logs and network traffic for unusual or suspicious requests targeting the Live Auction Cockpit servlet, especially those containing encoded payloads. 5. Employ application-layer intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics to detect deserialization attack patterns. 6. Engage with SAP support and subscribe to SAP security advisories to obtain and apply patches or official mitigations as soon as they are released. 7. Conduct thorough security assessments and penetration tests focusing on SAP SRM components to identify any exploitation attempts or residual vulnerabilities. 8. Educate SAP administrators and security teams about this vulnerability to ensure rapid detection and response capabilities.