Update: SAP's July 2025 Security Patch Day delivered a record-breaking 27 new security notes plus four updates, representing twice the average monthly output and addressing multiple critical vulnerabilities across core enterprise systems. The most severe flaw, CVE-2025-30012, received the maximum CVSS score of 10.0 after being reclassified from its initial low-severity rating in May.
This vulnerability in the Supplier Relationship Management Live Auction Cockpit allows unauthenticated attackers to execute arbitrary operating system commands through insecure deserialization of crafted requests. Five additional critical vulnerabilities (CVSS 9.1-9.9) target NetWeaver components through similar deserialization attacks, while CVE-2025-42967 enables code injection in S/4HANA and SCM systems.
Security firm Onapsis, which collaborated with SAP's Product Security Research Team on these discoveries, warns that successful exploitation bypasses traditional SAP security controls and could enable ransomware deployment on critical business systems.
Why it Matters: These vulnerabilities represent the same class of security flaws recently exploited in massive global attacks attributed to sophisticated China-nexus threat actors, creating immediate concern for enterprise security teams. The maximum CVSS 10.0 rating for CVE-2025-30012 indicates complete system compromise potential, while the concentration of deserialization vulnerabilities suggests coordinated research efforts by both security researchers and potential attackers.
JP Perez-Etchegoyen from Onapsis emphasizes that exploitation could result in "espionage, sabotage, or fraud" with full system control, making these patches critical for organizations managing sensitive business data. The record number of patches also highlights the increasing scrutiny of enterprise software security, particularly as threat actors shift focus to high-value business applications that traditional endpoint security may not adequately protect.