SAP Security Update - July 2025

Written By Peter Girnus

Executive Summary

SAP's July 2025 Security Patch Day delivers one of the most critical security updates in recent memory, addressing 27 new vulnerabilities with 7 classified as critical severity. The headline vulnerability, CVE-2025-30012, carries the maximum CVSS score of 10.0 and allows unauthenticated remote code execution in SAP Supplier Relationship Management systems.

Critical Vulnerabilities Requiring Immediate Action

CVE-2025-30012 - Remote Code Execution via Insecure Deserialization (CVSS 10.0)

Affected Products: SAP Supplier Relationship Management (SRM) Live Auction Cockpit - SRM_SERVER 7.14

Impact: This vulnerability represents the highest possible security risk with a CVSS score of 10.0. The Live Auction Cockpit uses a deprecated Java applet component that accepts binary Java objects in a specific encoding format. Unauthenticated attackers can send malicious payloads that result in deserialization of untrusted data, enabling arbitrary operating system command execution and complete system compromise.

Exploitation Status: While no active exploitation has been confirmed, the unauthenticated nature and maximum severity score make this an attractive target for threat actors.

Remediation: Apply the latest SAP patch for SRM_SERVER immediately. Additionally, discontinue use of deprecated Java applets wherever possible to reduce attack surface.

Related SRM Vulnerabilities (CVSS 9.1-10.0)

CVE-2025-30009, CVE-2025-30010, CVE-2025-30011, and CVE-2025-30018 represent additional insecure deserialization vulnerabilities in the same SRM Live Auction Cockpit component. These interconnected vulnerabilities suggest multiple attack vectors within the system that could be chained together for maximum impact.

High Severity Issues

CVE-2025-42967 - Code Injection in S/4HANA (CVSS 9.1)

Affected Products:

  • SAP S/4HANA (S4CORE versions 102-108)

  • SAP SCM (SCMAPO 713-714, SCM 700-712)

Impact: This code injection vulnerability allows attackers with high privileges to execute arbitrary code by crafting malicious reports within the SCM Characteristic Propagation module. While authentication is required, the ability to execute arbitrary code makes this a severe risk for organizations.

CVE-2025-42970 - SAPCAR Directory Traversal

Affected Products: SAPCAR versions 7.53 and 7.22EXT

Impact: Attackers can exploit a path traversal flaw within SAPCAR, potentially allowing them to overwrite files in arbitrary locations during archive extraction. This vulnerability is particularly concerning as SAPCAR is essential for SAP package management across virtually all SAP installations.

CVE-2025-43001 - Privilege Escalation

This privilege escalation vulnerability affects multiple SAP components and allows attackers to gain unauthorized administrative access to sensitive functions and data.

Technical Deep Dive: CVE-2025-30012

The Vulnerability

The root cause of CVE-2025-30012 lies in the unsafe deserialization of Java objects within the SRM Live Auction Cockpit. The application accepts serialized Java objects from untrusted sources without proper validation or sanitization. When these objects are deserialized, malicious code embedded within them executes with the privileges of the SAP application.

Attack Scenario

  1. Attacker identifies a SAP SRM system running the vulnerable Live Auction Cockpit

  2. Without any authentication, attacker crafts a malicious serialized Java object

  3. The payload is sent to the vulnerable endpoint using the specific encoding format expected by the application

  4. Upon deserialization, the malicious code executes, providing the attacker with system-level access

  5. From this foothold, the attacker can move laterally through the SAP landscape, exfiltrate data, or deploy ransomware

Detection and Indicators

Monitor for:

  • Unexpected Java deserialization events in SRM application logs

  • Unusual process spawning from SAP application processes

  • Network connections to unfamiliar external IP addresses from SRM servers

  • Sudden spikes in CPU or memory usage on affected systems

Additional Recommendations

  • Immediate Patching Priority: Given the CVSS 10.0 score and unauthenticated nature of the primary vulnerability, organizations should treat this as an emergency patch cycle

  • Network Segmentation: Ensure SRM systems are properly segmented from internet-facing infrastructure

  • Monitoring Enhancement: Implement enhanced monitoring for Java deserialization attempts and unusual system behavior

  • Vulnerability Scanning: Conduct immediate scans to identify all vulnerable SAP systems in your environment

  • Incident Response Readiness: Prepare incident response teams for potential exploitation attempts

Resources and References

Peter Girnus
Previous

Ivanti Security Update for July, 2025: Connect Secure and Policy Secure VPN Appliances

Next

How to Mount an AWS S3 Bucket on macOS