Skip to main content

CVE-2025-30018: CWE-611: Improper Restriction of XML External Entity Reference in SAP_SE SAP Supplier Relationship Management (Live Auction Cockpit)

High
VulnerabilityCVE-2025-30018cvecve-2025-30018cwe-611
Published: Tue May 13 2025 (05/13/2025, 00:16:20 UTC)
Source: CVE
Vendor/Project: SAP_SE
Product: SAP Supplier Relationship Management (Live Auction Cockpit)

Description

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application's confidentiality, with no effect on integrity and availability of the application.

AI-Powered Analysis

AILast updated: 07/12/2025, 01:46:41 UTC

Technical Analysis

CVE-2025-30018 is a critical vulnerability classified under CWE-611, which pertains to Improper Restriction of XML External Entity (XXE) Reference. This vulnerability affects the Live Auction Cockpit component of SAP Supplier Relationship Management (SRM) version 7.14. The flaw allows an unauthenticated attacker to submit a specially crafted XML payload to an application servlet request. When the vulnerable XML parser processes this malicious XML, it can trigger the resolution of external entities, enabling the attacker to read sensitive files and data from the underlying system. The vulnerability does not require any authentication or user interaction, making it highly exploitable remotely over the network. The impact is primarily on confidentiality, as attackers can access sensitive information without affecting the integrity or availability of the application. The CVSS v3.1 base score is 8.6 (High), reflecting the ease of exploitation (network vector, low attack complexity, no privileges required, no user interaction) and the significant confidentiality impact. The scope is changed, indicating that the vulnerability affects resources beyond the vulnerable component itself. No known exploits are currently reported in the wild, and no official patches have been released at the time of publication (May 2025). This vulnerability is particularly critical because SAP SRM is widely used in enterprise procurement and supply chain management, and the Live Auction Cockpit is a key module facilitating supplier bidding processes. An attacker exploiting this vulnerability could gain unauthorized access to sensitive procurement data, potentially exposing business-critical information and intellectual property.

Potential Impact

For European organizations, the impact of CVE-2025-30018 could be severe. SAP SRM is widely deployed across various industries in Europe, including manufacturing, automotive, pharmaceuticals, and public sector entities. The Live Auction Cockpit module is integral to supplier negotiations and contract management, meaning that unauthorized data disclosure could lead to exposure of sensitive supplier bids, pricing strategies, and contract terms. This could result in competitive disadvantages, financial losses, and reputational damage. Additionally, leaked information could be leveraged for further targeted attacks such as corporate espionage or fraud. Since the vulnerability allows unauthenticated remote exploitation, attackers could operate from outside the organization’s network perimeter, increasing the risk of widespread compromise. The confidentiality breach might also trigger regulatory compliance issues under GDPR, especially if personal or sensitive data is exposed. The lack of impact on integrity and availability reduces the risk of service disruption but does not mitigate the serious confidentiality concerns. Overall, European organizations relying on SAP SRM 7.14 should consider this vulnerability a high priority for remediation to protect sensitive procurement and supplier data.

Mitigation Recommendations

Given the absence of an official patch at the time of disclosure, European organizations should implement immediate compensating controls. First, restrict network access to the Live Auction Cockpit servlet by applying strict firewall rules or network segmentation to limit exposure only to trusted internal IP addresses. Employ web application firewalls (WAFs) with custom rules to detect and block XML payloads containing external entity references or suspicious patterns indicative of XXE attacks. Disable XML external entity processing in the XML parsers used by the Live Auction Cockpit if configurable, or apply secure XML parsing libraries that prevent external entity resolution. Conduct thorough logging and monitoring of XML requests to detect anomalous activity. Organizations should also prioritize upgrading or patching SAP SRM to a fixed version as soon as SAP releases an official security update. Additionally, perform a risk assessment to identify sensitive data potentially exposed and consider encrypting sensitive files and data at rest to reduce impact. Employee awareness and incident response plans should be updated to address potential exploitation scenarios. Finally, coordinate with SAP support and subscribe to SAP security advisories to receive timely updates.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
sap
Date Reserved
2025-03-13T18:03:35.489Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d9815c4522896dcbd64b1

Added to database: 5/21/2025, 9:08:37 AM

Last enriched: 7/12/2025, 1:46:41 AM

Last updated: 8/7/2025, 11:40:28 AM

Views: 17

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats