CVE-2025-30012

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-30012
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. The servlet will then decode this malicious request which will result in deserialization of data in the application leading to execution of arbitrary OS command on target as SAP Administrator. This vulnerability has High impact on confidentiality, integrity, and availability of the application.

10.0 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://me.sap.com/notes/3578900 Permissions Required
https://url.sap/sapsecuritypatchday Not Applicable
Configurations

Configuration 1 (hide)

cpe:2.3:a:sap:supplier_relationship_management:7.14:*:*:*:*:*:*:*
History

23 Oct 2025, 16:52

Type Values Removed Values Added
References () https://me.sap.com/notes/3578900 - () https://me.sap.com/notes/3578900 - Permissions Required
References () https://url.sap/sapsecuritypatchday - () https://url.sap/sapsecuritypatchday - Not Applicable
CPE cpe:2.3:a:sap:supplier_relationship_management:7.14:*:*:*:*:*:*:*
First Time Sap supplier Relationship Management
Sap

07 Jul 2025, 15:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-05-13 01:15

Updated : 2025-10-23 16:52

NVD link : CVE-2025-30012

Mitre link : CVE-2025-30012

CVE.ORG link : CVE-2025-30012

JSON object : View

Products Affected

sap

  • supplier_relationship_management
CWE
CWE-502

Deserialization of Untrusted Data