CVE-2025-30018 Overview
CVE-2025-30018 is an XML External Entity (XXE) injection vulnerability in the Live Auction Cockpit component of SAP Supplier Relationship Management (SRM). This vulnerability allows an unauthenticated attacker to submit a crafted XML file through an application servlet request. When the malicious XML is parsed by the server, it enables the attacker to access sensitive files and data from the affected system.
Critical Impact
This vulnerability allows unauthenticated attackers to read sensitive files and data from SAP SRM systems without requiring any user interaction or prior authentication, posing significant risk to enterprise procurement and supplier management data.
Affected Products
- SAP Supplier Relationship Management version 7.14
- SAP SRM Live Auction Cockpit component
- Enterprise deployments running vulnerable SAP SRM configurations
Discovery Timeline
- 2025-05-13 - CVE-2025-30018 published to NVD
- 2025-10-23 - Last updated in NVD database
Technical Details for CVE-2025-30018
Vulnerability Analysis
The vulnerability resides in the Live Auction Cockpit servlet component of SAP Supplier Relationship Management. This component accepts XML input from users but fails to properly configure the XML parser to prevent external entity processing. When an attacker submits a malicious XML document containing external entity declarations, the parser resolves these entities, allowing the attacker to read arbitrary files from the server's filesystem or access internal network resources.
This XXE vulnerability (CWE-611) specifically impacts the confidentiality of the application. An attacker can potentially exfiltrate sensitive configuration files, database credentials, internal application data, or other confidential information stored on the server. The vulnerability does not directly impact system integrity or availability, as it is primarily an information disclosure issue.
Root Cause
The root cause of this vulnerability is improper configuration of the XML parser used by the Live Auction Cockpit servlet. The parser accepts and processes XML external entity declarations without proper restrictions or sanitization. When external entities are defined in a DTD (Document Type Definition) and referenced within the XML document, the parser attempts to resolve them, potentially fetching local files or making network requests to arbitrary URLs.
Standard secure XML parsing practices require disabling external entity processing, disabling DTD processing, or using XML parsers configured with secure defaults. The affected SAP SRM component fails to implement these security controls.
Attack Vector
The attack is executed over the network and requires no authentication or user interaction. An attacker can craft a malicious XML payload containing external entity definitions that reference sensitive files on the target system (such as /etc/passwd on Unix systems or C:\Windows\win.ini on Windows systems). By submitting this payload to the vulnerable Live Auction Cockpit servlet endpoint, the attacker can retrieve the contents of these files in the server's response.
The attack can also be leveraged for Server-Side Request Forgery (SSRF), where the attacker uses the external entity to make HTTP requests to internal network resources that would otherwise be inaccessible from outside the network.
Detection Methods for CVE-2025-30018
Indicators of Compromise
- Unusual XML requests to the Live Auction Cockpit servlet containing DTD declarations or entity references
- HTTP requests with XML payloads containing strings like <!DOCTYPE, <!ENTITY, or SYSTEM keywords
- Web server logs showing requests to SAP SRM endpoints with abnormally large or suspicious XML content
- Evidence of file access attempts through web application processes accessing sensitive system files
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block XML payloads containing external entity declarations
- Monitor SAP SRM application logs for failed XML parsing errors or unusual access patterns to the Live Auction Cockpit
- Implement network traffic analysis to identify HTTP requests containing XXE attack signatures
- Configure SIEM rules to alert on patterns consistent with XXE exploitation attempts targeting SAP infrastructure
Monitoring Recommendations
- Enable detailed logging on SAP SRM application servers to capture all incoming XML requests
- Monitor for outbound connections from SAP SRM servers to unexpected internal or external hosts, which may indicate SSRF via XXE
- Review file access logs on SAP SRM servers for unusual read operations on sensitive configuration or system files
- Implement anomaly detection for unusual data volumes being returned from Live Auction Cockpit endpoints
How to Mitigate CVE-2025-30018
Immediate Actions Required
- Apply the security patch referenced in SAP Note #3578900 immediately
- If immediate patching is not possible, disable or restrict access to the Live Auction Cockpit component
- Implement network-level access controls to limit which systems can reach the vulnerable servlet endpoint
- Review SAP SRM logs for any evidence of exploitation attempts prior to patching
Patch Information
SAP has released a security update to address this vulnerability. Administrators should obtain and apply the patch through official SAP support channels. The relevant security documentation is available through SAP Note #3578900 and the SAP Security Patch Day portal.
Organizations running SAP Supplier Relationship Management version 7.14 should prioritize this update as part of their regular SAP maintenance windows. Given the unauthenticated nature of the attack vector, exposure of SAP SRM systems to untrusted networks significantly increases the risk profile.
Workarounds
- Implement a Web Application Firewall (WAF) rule to block XML requests containing external entity declarations to SAP SRM endpoints
- Restrict network access to the Live Auction Cockpit servlet to only trusted internal networks or authorized IP ranges
- If the Live Auction Cockpit functionality is not actively used, consider disabling the component entirely until patches can be applied
- Deploy reverse proxy configurations that strip or sanitize DTD and external entity references from incoming XML requests
# Example: WAF rule pattern to detect XXE attempts (ModSecurity)
SecRule REQUEST_BODY "@rx <!ENTITY\s+\S+\s+SYSTEM" "id:100001,phase:2,deny,status:403,msg:'Potential XXE Attack Detected'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
