July 2025 SAP Patch Day: Record Patches & Critical Deserialization Vulnerabilities

Onapis co-founder and CTO, JP Perez-Etchegoyen

In today’s Patch Tuesday, SAP released a record number of security patches for their portfolio of applications, at 2x the average output of regular months. Our Onapsis Research Labs regularly does an exceptional job of breaking down each Patch Tuesday to help SAP users understand what’s in each monthly release as well as prioritize execution.

Understanding the Deserialization Threat

However, in this post, I’d like to focus on and highlight a handful of security notes from this Patch Tuesday that belong to a very dangerous class of vulnerability (CWE-502: Deserialization of Untrusted Data (4.17)). This is the same class of vulnerability that was recently exploited in SAP on a global level as part of a broad attack campaign that was attributed to sophisticated China-nexus threat actor groups. Left unpatched, these vulnerabilities noted in today’s Patch Tuesday could be leveraged in similar ways by these previous state-sponsored threat actor groups and/or by other new threat actors to compromise vulnerable SAP applications. 

What is Deserialization of Untrusted Data?

With serialization, an object is converted into a format that can be stored or transmitted more easily. Deserialization is the opposite process, where the object is reconstructed from that formatted data. If an application deserializes untrusted data in an uncontrolled way, then it could lead to vulnerabilities. And if attackers were to inject malicious code into the serialized data, it could cause the application to execute unintended code or unauthorized actions, leading to gaining complete control over the target. This is precisely what we saw occur in the large attack campaign for CVE-2025-31324 and CVE-2025-42999 that occurred from March to June 2025, where unauthenticated threat actors remotely exploited the aforementioned vulnerabilities in SAP Visual Composer to execute commands and/or upload arbitrary files, resulting in immediate full compromise of the targeted system.

Key Vulnerabilities in July’s Patch Tuesday

Fast forward to today, and the most critical risk is for the vulnerability CVE-2025-30012, which was rated CVSS 10.0, the highest rating possible. Much like in the previous attack campaign, this is a deserialization vulnerability that can be exploited remotely over HTTP(S) with no authentication, resulting in immediate full compromise of a vulnerable system – in this case, one running a vulnerable SAP Supplier Relationship Management (SRM) application. SAP SRM is a legacy solution that is being phased out in favor of SAP Ariba, so this fortunately reduces the number of potentially affected organizations worldwide. However, it still remains in service for many organizations who have been managing their supplier relationships and automating their supplier procurement with this application for several years. 

Besides this CVSS 10.0 vulnerability, there are 4 additional vulnerabilities mitigated by SAP this month that are also deserialization vulnerabilities – all of which have critical CVSS scores of 9.1. The Onapsis Research Labs collaborated closely with the SAP Product Security Research Team (PSRT) in the discovery, evaluation, and mitigation of all these deserialization vulnerabilities. We would like to acknowledge SAP’s rapid response, thorough analysis, and diligence in addressing these complex issues.

Impact of Deserialization Exploitation

Exploitation of any of these deserialization vulnerabilities bypasses traditional SAP security controls such as Segregation of Duties and other GRC controls. If successful, an attacker gains full control over a vulnerable system, allowing them access to critical business processes and data, which could result in espionage, sabotage, or fraud. With full compromise, threat actors could also use this vulnerability to deploy ransomware on critical SAP systems.

Immediate Action & Onapsis Threat Intelligence

As of July 8th, when this blogpost was published, the Onapsis Research Labs are not aware of any active exploitation currently in the wild. However, as mentioned before, bear in mind that this is the same class of vulnerability that was recently exploited on a massive global scale with CVE-2025-31324 and CVE-2025-42999, and exploitation of all these new deserialization vulnerabilities can be triggered in a similar way as those previous exploitations. The payload that was used by threat actors in those attacks is highly similar to what would be effective against these newly patched vulnerabilities. We will continue to monitor our Global Threat Intelligence Network for any signs of active exploitation.

Prioritize Patching These Critical Vulnerabilities

Organizations are strongly encouraged to immediately prioritize the patching of these critical vulnerabilities with the following Security Notes:

Conclusion: Continuous Vigilance for SAP Cybersecurity

In closing, what the past few months have put into sharp focus is how important it is for large organizations to have effective SAP vulnerability management processes and technology in place to help their teams with automation to most effectively respond to critical SAP cybersecurity issues in a highly timely manner.  Prompt patching, threat monitoring, and continued vigilance over your critical SAP systems is essential to stay ahead of threat actors and reduce your SAP cybersecurity risk footprint.