CVE-2025-30012CRITICAL 9.8EPSS p48.4%

CVE-2025-30012CVE-2025-30012

Description

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. The servlet will then decode this malicious request which will result in deserialization of data in the application leading to execution of arbitrary OS command on target as SAP Administrator. This vulnerability has High impact on confidentiality, integrity, and availability of the application.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.70% probability of exploitation · percentile 48.4% · 2026-06-18T12:00:27Z
Published2025-05-13
Last modified2025-10-23

Underlying weaknesses· 1

CWE-502

References

  1. https://me.sap.com/notes/3578900
  2. https://url.sap/sapsecuritypatchday

1

TypeTargetConfidenceTier
WeaknessDeserialization of Untrusted Datacwe-5020%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-42910
CVE
CVE-2025-42922
CVE
CVE-2025-42944
CVE
CVE-2025-42963
CVE
CVE-2025-42928
CVE
CVE-2026-0507
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.