Threat Insight

SAP SRM Remote Code Execution (CVSS 10.0)

Part of SAP’s “Security Patch Day – July 2025” and with a Initial CVSS rating of 3.9 in 12th of May, NVD has now made an update and the vulnerability has been given the maximum CVSS scoring of 10.0.

  • Insight

This is a deserialization vulnerability in the Live Auction Cockpit component of SAP Supplier Relationship Management (SRM). It stems from the use of a deprecated Java applet that accepts binary Java objects in a specific encoding format. When these objects are deserialized without proper validation, it opens the door to malicious payload execution.

NVD’s updated analysis and scoring is due to the potential for remote code execution as the SAP Administrator, which would grant full control over the affected system.

An attacker crafts a maliciously encoded Java object and sends it to the vulnerable servlet. The application deserializes the object, triggering arbitrary code execution. In some cases, this may result in outbound DNS requests or command execution on the server.

Successful exploitation of this vulnerability could lead to:

  • Exfiltration of sensitive data
  • Installation of backdoors
  • Disrupting auction operations or manipulate bidding processes

This vulnerability does not require authentication or any privileges and has low complexity. It can be fully exploited remotely, with no user interaction required.

CVE

CVE-2025-30012

We recommend applying the latest SAP patch for SRM_SERVER to mitigate the vulnerability as soon as possible. Where feasible, phase out the use of deprecated Java applets to minimize the attack surface.

References

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/july-2025.html
https://nvd.nist.gov/vuln/detail/cve-2025-30012