CVE-2025-30011
📋 TL;DR
An unauthenticated attacker can exploit a deprecated Java applet component in SAP SRM's Live Auction Cockpit to send malicious requests that disclose internal version details of the affected system. This affects SAP Supplier Relationship Management systems with the vulnerable component enabled. The vulnerability has low confidentiality impact with no effect on integrity or availability.
💻 Affected Systems
- SAP Supplier Relationship Management (SRM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could map internal system architecture and identify other potential vulnerabilities by obtaining version information, potentially facilitating further attacks.
Likely Case
Information disclosure revealing SAP SRM version details, which could aid attackers in reconnaissance for targeted attacks.
If Mitigated
Limited to no impact if proper network segmentation and access controls prevent unauthenticated access to the vulnerable component.
🎯 Exploit Status
Exploitation involves sending crafted requests to the deprecated Java applet component.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3578900
Vendor Advisory: https://me.sap.com/notes/3578900
Restart Required: Yes
Instructions:
1. Download SAP Note 3578900 from the SAP Support Portal.
2. Apply the security patch according to SAP's standard patching procedures.
3. Restart the affected SAP SRM system to activate the fix.
🔧 Temporary Workarounds
Disable Live Auction Cockpit
allDisable or remove the vulnerable Java applet component from the SAP SRM system.
Consult SAP documentation for component disabling procedures specific to your SRM version.
Network Access Control
allRestrict network access to the SAP SRM system to trusted IP addresses only.
Configure firewall rules to allow only authorized users/systems to access the SRM application.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the SAP SRM system from untrusted networks.
- Monitor for unusual requests to the Live Auction Cockpit component and investigate any anomalies.
🔍 How to Verify
Check if Vulnerable:
Check if SAP Note 3578900 is applied in your SAP system using transaction SNOTE or by consulting system logs.Check Version:
Use SAP transaction SM51 or systeminfo commands on the OS level to check SAP SRM version.Verify Fix Applied:
Verify that the patch from SAP Note 3578900 is successfully implemented and no longer discloses version information via the vulnerable component.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests to the Live Auction Cockpit endpoint
- Java applet-related errors or warnings in SAP application logs
Network Indicators:
- Traffic patterns indicating repeated requests to the vulnerable component from unauthenticated sources
SIEM Query:
Search for HTTP requests containing 'LiveAuctionCockpit' or similar patterns from external IP addresses.