Recent SAP GUI Vulnerabilities Highlight Data Security Concerns
Cybersecurity researchers have identified significant vulnerabilities in the SAP Graphical User Interface (GUI) that pose risks to sensitive data stored on systems using both Windows and Java versions. Recently patched vulnerabilities, known as CVE-2025-0055 and CVE-2025-0056, received a Common Vulnerability Scoring System (CVSS) score of 6.0, reflecting a moderate but serious concern for data security.
Understanding the Vulnerabilities
These vulnerabilities were particularly related to the insecure storage of user input history in the SAP GUI. This input history is designed to enhance user experience by allowing users to easily access previously entered information, including sensitive data like usernames, Social Security numbers (SSNs), and bank account details. Pathlock researcher Jonathan Stross revealed that this data is stored locally on user devices, making it vulnerable to potential exploitation.
Details of the Flaws
The weaknesses stem primarily from how the SAP GUI manages input history. Attackers with administrative rights or access to a victim’s user directory can potentially exploit these vulnerabilities. For instance, on Windows systems, the input history is saved in a database file located at:
%APPDATA%\LocalLow\SAPGUI\Cache\History\SAPHistory<winuser>.db
For users on other platforms, the saved input history can be found in the following directories:
- For SAP GUI for Java:
- Windows:
%APPDATA%\LocalLow\SAPGUI\Cache\History - Linux:
$HOME/.SAPGUI/Cache/History - macOS:
$HOME/Library/Preferences/SAP/Cache/History
- Windows:
The method of data storage is particularly concerning. The Windows version uses a weak XOR-based encryption scheme for the input history, making it relatively easy for attackers to decode. In contrast, the Java version lacks encryption altogether, storing entries as unencrypted Java serialized objects.
Implications of Data Exposure
The key issue here is the nature of the data being stored. Depending on past user input, the compromised information could range from non-critical to highly sensitive, posing a serious risk to the confidentiality of the application and its users. Stross emphasized the risk of easy access to these historical files, stating that anyone with access to the computer could extract sensitive information. This presents significant threats, particularly through techniques like HID injection attacks or phishing.
To safeguard against these vulnerabilities, it is crucial for users to disable the input history feature and remove existing database or serialized object files from the aforementioned locations.
Citrix’s Response to Vulnerability
Adding to the cybersecurity landscape, Citrix recently addressed a critical security flaw in its NetScaler application, identified as CVE-2025-5777. This vulnerability has a much higher CVSS score of 9.3, indicating its severity and potential impact.
Details and Exploitation Risks
The vulnerability arises from inadequate input validation, potentially allowing unauthorized users to access valid session tokens from memory. This exploitation can lead to authentication bypass, particularly when NetScaler is configured as a Gateway or AAA virtual server. The issue, dubbed "Citrix Bleed 2," bears resemblance to a previously exploited vulnerability, CVE-2023-4966, which caused significant issues in the past.
The development has already prompted Citrix to issue patches for multiple versions of its software, including:
- NetScaler ADC and NetScaler Gateway 14.1-43.56 and later
- NetScaler ADC and NetScaler Gateway 13.1-58.32 and later
- NetScaler ADC versions 12.1-55.328 and later
Organizations utilizing Secure Private Access with NetScaler are advised to terminate all active sessions following the implementation of the updates.
Moving Forward with Security
As users and enterprises navigate the complex cybersecurity arena, it’s essential to keep software updated and be aware of vulnerabilities that may affect their systems. Although there is currently no evidence of active exploitation for CVE-2025-5777, experts caution that this vulnerability could represent a prime target for attackers in the near future.
The ever-evolving landscape of cybersecurity demands persistent vigilance and proactive measures, especially for all systems that handle sensitive data. Knowing how to mitigate potential risks by promptly applying security updates and understanding the intricacies behind vulnerabilities can help safeguard essential information from unintended exposure.
