SAP SRM Live Auction Java Applet Deserialization Enables Remote OS Commands
CVE-2025-30012 Published on May 13, 2025

Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. The servlet will then decode this malicious request which will result in deserialization of data in the application leading to execution of arbitrary OS command on target as SAP Administrator. This vulnerability has High impact on confidentiality, integrity, and availability of the application.

NVD

Vulnerability Analysis

CVE-2025-30012 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2025-30012 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.


Affected Versions

SAP_SE SAP Supplier Relationship Management (Live Auction Cockpit) Version SRM_SERVER 7.14 is affected by CVE-2025-30012

Exploit Probability

EPSS
1.77%
Percentile
82.92%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.