CVE-2025-30018 is a critical vulnerability classified under CWE-611, which pertains to Improper Restriction of XML External Entity (XXE) Reference. This vulnerability affects the Live Auction Cockpit component of SAP Supplier Relationship Management (SRM) version 7.14. The flaw allows an unauthenticated attacker to submit a specially crafted XML payload to an application servlet request. When the vulnerable XML parser processes this malicious XML, it can trigger the resolution of external entities, enabling the attacker to read sensitive files and data from the underlying system. The vulnerability does not require any authentication or user interaction, making it highly exploitable remotely over the network. The impact is primarily on confidentiality, as attackers can access sensitive information without affecting the integrity or availability of the application. The CVSS v3.1 base score is 8.6 (High), reflecting the ease of exploitation (network vector, low attack complexity, no privileges required, no user interaction) and the significant confidentiality impact. The scope is changed, indicating that the vulnerability affects resources beyond the vulnerable component itself. No known exploits are currently reported in the wild, and no official patches have been released at the time of publication (May 2025). This vulnerability is particularly critical because SAP SRM is widely used in enterprise procurement and supply chain management, and the Live Auction Cockpit is a key module facilitating supplier bidding processes. An attacker exploiting this vulnerability could gain unauthorized access to sensitive procurement data, potentially exposing business-critical information and intellectual property.

For European organizations, the impact of CVE-2025-30018 could be severe. SAP SRM is widely deployed across various industries in Europe, including manufacturing, automotive, pharmaceuticals, and public sector entities. The Live Auction Cockpit module is integral to supplier negotiations and contract management, meaning that unauthorized data disclosure could lead to exposure of sensitive supplier bids, pricing strategies, and contract terms. This could result in competitive disadvantages, financial losses, and reputational damage. Additionally, leaked information could be leveraged for further targeted attacks such as corporate espionage or fraud. Since the vulnerability allows unauthenticated remote exploitation, attackers could operate from outside the organization’s network perimeter, increasing the risk of widespread compromise. The confidentiality breach might also trigger regulatory compliance issues under GDPR, especially if personal or sensitive data is exposed. The lack of impact on integrity and availability reduces the risk of service disruption but does not mitigate the serious confidentiality concerns. Overall, European organizations relying on SAP SRM 7.14 should consider this vulnerability a high priority for remediation to protect sensitive procurement and supplier data.

Given the absence of an official patch at the time of disclosure, European organizations should implement immediate compensating controls. First, restrict network access to the Live Auction Cockpit servlet by applying strict firewall rules or network segmentation to limit exposure only to trusted internal IP addresses. Employ web application firewalls (WAFs) with custom rules to detect and block XML payloads containing external entity references or suspicious patterns indicative of XXE attacks. Disable XML external entity processing in the XML parsers used by the Live Auction Cockpit if configurable, or apply secure XML parsing libraries that prevent external entity resolution. Conduct thorough logging and monitoring of XML requests to detect anomalous activity. Organizations should also prioritize upgrading or patching SAP SRM to a fixed version as soon as SAP releases an official security update. Additionally, perform a risk assessment to identify sensitive data potentially exposed and consider encrypting sensitive files and data at rest to reduce impact. Employee awareness and incident response plans should be updated to address potential exploitation scenarios. Finally, coordinate with SAP support and subscribe to SAP security advisories to receive timely updates.