Adopting regulatory measures specifying the methods of implementation for this Law.

Despite being a legacy solution, many companies have been managing their supplier relationships with SAP SRM for several years. However, recent findings have highlighted a series of critical security vulnerabilities affecting this application, posing significant risks to businesses using it.

In March 2025, the Cybersecurity and Infrastructure Security Agency (CISA) warned of the active exploitation of a vulnerability in the SAP NetWeaver AS Java Application Server, specifically affecting SAP SRM. This vulnerability, originally added to the known exploited vulnerabilities catalog in 2017, is a prime example of an insecure deserialization issue.

Insecure deserialization occurs when an application converts untrusted data into an object without proper validation, enabling attackers to inject malicious instructions. Successful exploitation of such vulnerabilities can grant attackers full control over systems, posing risks such as espionage, sabotage, fraud, or ransomware deployment.

One such critical vulnerability, CVE-2025-31324, targets SAP Visual Composer and allows unauthenticated attackers to upload any files, leading to immediate full compromise of the affected system. On May 13, 2025, SAP published Security Note 3604119, which directly addresses CVE-2025-42999, another security vulnerability with a CVSS score of 9.1. This patch effectively resolves the underlying root cause of CVE-2025-31324.

On May 15, 2025, CISA added CVE-2025-42999 to its catalog of known exploited vulnerabilities. The number of potentially affected companies by these critical deserialization vulnerabilities is relatively low, but the risks are high, as successful exploitation can lead to severe consequences.

As a response, companies are encouraged to migrate from SAP SRM to SAP Ariba or Fieldglass. Patch Day in July highlighted CVE-2025-30018 (SAP Security Note #3578900), a critical vulnerability that can be exploited in the same way as the mentioned CVEs, emphasizing the necessity of immediate patches.

However, there is no publicly available specific information on which companies were likely affected by the critical deserialization vulnerability CVE-2025-30018 in SAP Supplier Lifecycle Management in 2025. It is crucial for companies using SAP SRM to assess their risk levels and take necessary precautions to protect their systems.

In collaboration with Mandiant, Onapsis has developed and published open-source tools to identify and assess the risk posed by CVE-2025-31324 and CVE-2025-42999. These tools can help companies in their efforts to secure their SAP environments and mitigate potential threats.

In conclusion, the recent discovery of critical security vulnerabilities in SAP SRM underscores the importance of regular security assessments and updates for legacy applications. Companies should prioritise the migration to more secure solutions and implement robust security measures to protect their systems from potential threats.