CVE-2025-30012 CRITICAL

CVE-2025-30012: Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)

Vendor Sap_Se

Product SAP Supplier Relationship Management (Live Auction Cockpit)

Weakness CWE-502 · Unsafe deserialization

Published May 13, 2025

Last update July 24, 2025

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. The servlet will then decode this malicious request which will result in deserialization of data in the application leading to execution of arbitrary OS command on target as SAP Administrator. This vulnerability has High impact on confidentiality, integrity, and availability of the application.

Key dates

02Disclosure timeline

May 13, 2025 CVE published

July 24, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-30012

Related vulnerabilities

Identifiers

CVE CVE-2025-30012

CWE CWE-502

CVSS 10.0 / CRITICAL

Affected versions