Deserialization Vulnerability in SAP Supplier Relationship Management's Live Auction Cockpit
CVE-2025-30012

3.9LOW

Key Information:

Vendor

SAP
Status
Supplier Relationship Management (SRM)
Vendor
CVE Published:
13 May 2025

What is CVE-2025-30012?

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) utilizes a deprecated Java applet, allowing authenticated users with elevated privileges to exploit the system. By sending specifically crafted payload requests, these users can trigger an outbound DNS request that leads to the deserialization of potentially harmful data. While the impact on the application's confidentiality, integrity, and availability is noted as low, organizations using affected versions should take immediate steps to mitigate this risk by applying available security patches.

References

https://me.sap.com/notes/3578900
https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:
3.9
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Adjacent Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.
CVE-2025-30012 : Deserialization Vulnerability in SAP Supplier Relationship Management's Live Auction Cockpit