Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Critical Vulnerabilities in Multiple SAP Products

11 July 2025

SAP has released security updates addressing multiple critical vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit) and SAP S/4HANA / SAP Supply Chain Management (Characteristic Propagation).

Background

SAP has released security updates addressing multiple critical vulnerabilities (CVE-2025-30012 & CVE-2025-42967) in SAP Supplier Relationship Management (SRM) (Live Auction Cockpit), SAP S/4HANA and SAP Supply Chain Management (SCM) (Characteristic Propagation), respectively.

Impact

The vulnerabilities are:

  • CVE-2025-30012: A deserialisation vulnerability that could allow an unauthenticated attacker to send a malicious payload request in a specific encoding format, leading to execution of arbitrary OS command on target as a SAP Administrator. This vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 10 out of 10.

  • CVE-2025-42967: A remote code execution vulnerability that could allow an attacker with user level privileges to create a new report with their own code and gain full control of the affected SAP system. This vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.9 out of 10.

Affected Products

The vulnerabilities affect the following products:

CVE-2025-30012:

  • SAP SRM (Live Auction Cockpit) version SRM_SERVER 7.14

CVE-2025-42967: 

  • SAP S/4HANA and SAP SCM (Characteristic Propagation) versions:

    • SCMAPO 713 and 714

    • S4CORE 102 to 104 

    • S4COREOP 105 to 108 

    • SCM 700 to 702 and 712

Mitigation

Users and administrators of affected products are advised to update to the latest versions immediately.

References

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/bulletin-2025.html#:~:text=SAP%20Security%20Patch%20Day%20%2D%20July%202025

https://nvd.nist.gov/vuln/detail/cve-2025-30012

https://nvd.nist.gov/vuln/detail/CVE-2025-42967

Back to top