CVE-2025-30018: CWE-611: Improper Restriction of XML External Entity Reference in SAP_SE SAP Supplier Relationship Management (Live Auction Cockpit)
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application's confidentiality, with no effect on integrity and availability of the application.
AI Analysis
Technical Summary
CVE-2025-30018 is a critical vulnerability classified under CWE-611, which pertains to Improper Restriction of XML External Entity (XXE) Reference. This vulnerability affects the Live Auction Cockpit component of SAP Supplier Relationship Management (SRM) version 7.14. The flaw allows an unauthenticated attacker to submit a specially crafted XML payload to an application servlet request. When the vulnerable XML parser processes this malicious XML, it can trigger the resolution of external entities, enabling the attacker to read sensitive files and data from the underlying system. The vulnerability does not require any authentication or user interaction, making it highly exploitable remotely over the network. The impact is primarily on confidentiality, as attackers can access sensitive information without affecting the integrity or availability of the application. The CVSS v3.1 base score is 8.6 (High), reflecting the ease of exploitation (network vector, low attack complexity, no privileges required, no user interaction) and the significant confidentiality impact. The scope is changed, indicating that the vulnerability affects resources beyond the vulnerable component itself. No known exploits are currently reported in the wild, and no official patches have been released at the time of publication (May 2025). This vulnerability is particularly critical because SAP SRM is widely used in enterprise procurement and supply chain management, and the Live Auction Cockpit is a key module facilitating supplier bidding processes. An attacker exploiting this vulnerability could gain unauthorized access to sensitive procurement data, potentially exposing business-critical information and intellectual property.
Potential Impact
For European organizations, the impact of CVE-2025-30018 could be severe. SAP SRM is widely deployed across various industries in Europe, including manufacturing, automotive, pharmaceuticals, and public sector entities. The Live Auction Cockpit module is integral to supplier negotiations and contract management, meaning that unauthorized data disclosure could lead to exposure of sensitive supplier bids, pricing strategies, and contract terms. This could result in competitive disadvantages, financial losses, and reputational damage. Additionally, leaked information could be leveraged for further targeted attacks such as corporate espionage or fraud. Since the vulnerability allows unauthenticated remote exploitation, attackers could operate from outside the organization’s network perimeter, increasing the risk of widespread compromise. The confidentiality breach might also trigger regulatory compliance issues under GDPR, especially if personal or sensitive data is exposed. The lack of impact on integrity and availability reduces the risk of service disruption but does not mitigate the serious confidentiality concerns. Overall, European organizations relying on SAP SRM 7.14 should consider this vulnerability a high priority for remediation to protect sensitive procurement and supplier data.
Mitigation Recommendations
Given the absence of an official patch at the time of disclosure, European organizations should implement immediate compensating controls. First, restrict network access to the Live Auction Cockpit servlet by applying strict firewall rules or network segmentation to limit exposure only to trusted internal IP addresses. Employ web application firewalls (WAFs) with custom rules to detect and block XML payloads containing external entity references or suspicious patterns indicative of XXE attacks. Disable XML external entity processing in the XML parsers used by the Live Auction Cockpit if configurable, or apply secure XML parsing libraries that prevent external entity resolution. Conduct thorough logging and monitoring of XML requests to detect anomalous activity. Organizations should also prioritize upgrading or patching SAP SRM to a fixed version as soon as SAP releases an official security update. Additionally, perform a risk assessment to identify sensitive data potentially exposed and consider encrypting sensitive files and data at rest to reduce impact. Employee awareness and incident response plans should be updated to address potential exploitation scenarios. Finally, coordinate with SAP support and subscribe to SAP security advisories to receive timely updates.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden, Poland, Austria
CVE-2025-30018: CWE-611: Improper Restriction of XML External Entity Reference in SAP_SE SAP Supplier Relationship Management (Live Auction Cockpit)
Description
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application's confidentiality, with no effect on integrity and availability of the application.
AI-Powered Analysis
Technical Analysis
CVE-2025-30018 is a critical vulnerability classified under CWE-611, which pertains to Improper Restriction of XML External Entity (XXE) Reference. This vulnerability affects the Live Auction Cockpit component of SAP Supplier Relationship Management (SRM) version 7.14. The flaw allows an unauthenticated attacker to submit a specially crafted XML payload to an application servlet request. When the vulnerable XML parser processes this malicious XML, it can trigger the resolution of external entities, enabling the attacker to read sensitive files and data from the underlying system. The vulnerability does not require any authentication or user interaction, making it highly exploitable remotely over the network. The impact is primarily on confidentiality, as attackers can access sensitive information without affecting the integrity or availability of the application. The CVSS v3.1 base score is 8.6 (High), reflecting the ease of exploitation (network vector, low attack complexity, no privileges required, no user interaction) and the significant confidentiality impact. The scope is changed, indicating that the vulnerability affects resources beyond the vulnerable component itself. No known exploits are currently reported in the wild, and no official patches have been released at the time of publication (May 2025). This vulnerability is particularly critical because SAP SRM is widely used in enterprise procurement and supply chain management, and the Live Auction Cockpit is a key module facilitating supplier bidding processes. An attacker exploiting this vulnerability could gain unauthorized access to sensitive procurement data, potentially exposing business-critical information and intellectual property.
Potential Impact
For European organizations, the impact of CVE-2025-30018 could be severe. SAP SRM is widely deployed across various industries in Europe, including manufacturing, automotive, pharmaceuticals, and public sector entities. The Live Auction Cockpit module is integral to supplier negotiations and contract management, meaning that unauthorized data disclosure could lead to exposure of sensitive supplier bids, pricing strategies, and contract terms. This could result in competitive disadvantages, financial losses, and reputational damage. Additionally, leaked information could be leveraged for further targeted attacks such as corporate espionage or fraud. Since the vulnerability allows unauthenticated remote exploitation, attackers could operate from outside the organization’s network perimeter, increasing the risk of widespread compromise. The confidentiality breach might also trigger regulatory compliance issues under GDPR, especially if personal or sensitive data is exposed. The lack of impact on integrity and availability reduces the risk of service disruption but does not mitigate the serious confidentiality concerns. Overall, European organizations relying on SAP SRM 7.14 should consider this vulnerability a high priority for remediation to protect sensitive procurement and supplier data.
Mitigation Recommendations
Given the absence of an official patch at the time of disclosure, European organizations should implement immediate compensating controls. First, restrict network access to the Live Auction Cockpit servlet by applying strict firewall rules or network segmentation to limit exposure only to trusted internal IP addresses. Employ web application firewalls (WAFs) with custom rules to detect and block XML payloads containing external entity references or suspicious patterns indicative of XXE attacks. Disable XML external entity processing in the XML parsers used by the Live Auction Cockpit if configurable, or apply secure XML parsing libraries that prevent external entity resolution. Conduct thorough logging and monitoring of XML requests to detect anomalous activity. Organizations should also prioritize upgrading or patching SAP SRM to a fixed version as soon as SAP releases an official security update. Additionally, perform a risk assessment to identify sensitive data potentially exposed and consider encrypting sensitive files and data at rest to reduce impact. Employee awareness and incident response plans should be updated to address potential exploitation scenarios. Finally, coordinate with SAP support and subscribe to SAP security advisories to receive timely updates.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- sap
- Date Reserved
- 2025-03-13T18:03:35.489Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9815c4522896dcbd64b1
Added to database: 5/21/2025, 9:08:37 AM
Last enriched: 7/12/2025, 1:46:41 AM
Last updated: 8/7/2025, 11:40:28 AM
Views: 17
Related Threats
CVE-2025-8982: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8981: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-50862: n/a
MediumCVE-2025-50861: n/a
HighCVE-2025-8978: Insufficient Verification of Data Authenticity in D-Link DIR-619L
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.