Cybersecurity researchers have detailed two now-patched safety flaws in SAP Graphical Consumer Interface (GUI) for Home windows and Java that, if efficiently exploited, may have enabled attackers to entry delicate data beneath sure circumstances.
The vulnerabilities, tracked as CVE-2025-0055 and CVE-2025-0056 (CVSS scores: 6.0), have been patched by SAP as a part of its month-to-month updates for January 2025.
“The analysis found that SAP GUI enter historical past is saved insecurely, each within the Java and Home windows variations,” Pathlock researcher Jonathan Stross mentioned in a report shared with The Hacker Information.
SAP GUI consumer historical past permits customers to entry beforehand entered values in enter fields with the objective of saving time and lowering errors. This historic data is saved regionally on units. This could embody usernames, nationwide IDs, social safety numbers (SSNs), checking account numbers, and inner SAP desk names.
The vulnerabilities recognized by Pathlock are rooted on this enter historical past function, permitting an attacker with administrative privileges or entry to the sufferer’s consumer listing on the working system to entry the info inside a predefined listing based mostly on the SAP GUI variant.
- SAP GUI for Home windows – %APPDATApercentLocalLowSAPGUICacheHistorySAPHistory
.db - SAP GUI for Java – %APPDATApercentLocalLowSAPGUICacheHistory or $HOME/.SAPGUI/Cache/Historical past (Home windows or Linux) and $HOME/Library/Preferences/SAP/Cache/Historical past (macOS)
The difficulty is that the inputs are saved within the database file utilizing a weak XOR-based encryption scheme within the case of SAP GUI for Home windows, which makes them trivial to decode with minimal effort. In distinction, SAP GUI for Java shops these historic entries in an unencrypted trend as Java serialized objects.
Because of this, relying on the consumer enter supplied prior to now, the disclosed data may embody something between non-critical information to extremely delicate information, thereby impacting the confidentiality of the appliance.
“Anybody with entry to the pc can doubtlessly entry the historical past file and all delicate data it shops,” Stross mentioned. “As a result of the info is saved regionally and weakly (or in no way) encrypted, exfiltration by HID injection assaults (like USB Rubber Ducky) or phishing turns into an actual menace.”
To mitigate any potential dangers related to data disclosure, it is suggested to disable the enter historical past performance and delete present database or serialized object recordsdata from the aforementioned directories.
Citrix Patches CVE-2025-5777
The disclosure comes as Citrix patched a critical-rated safety flaw in NetScaler (CVE-2025-5777, CVSS rating: 9.3) that may very well be exploited by menace actors to realize entry to inclined home equipment.
The shortcoming stems from inadequate enter validation which will allow unauthorized attackers to seize legitimate session tokens from reminiscence by way of malformed requests, successfully bypassing authentication protections. Nevertheless, this solely works when Netscaler is configured as a Gateway or AAA digital server.
The vulnerability has been codenamed Citrix Bleed 2 by safety researcher Kevin Beaumont, owing to its similarities to CVE-2023-4966 (CVSS rating: 9.4), which got here beneath energetic exploitation within the wild two years in the past.
It has been addressed within the following variations –
- NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases of 13.1
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPP
- NetScaler ADC 12.1-FIPS 12.1-55.328 and later releases of 12.1-FIPS
Safe Non-public Entry on-prem or Safe Non-public Entry Hybrid deployments utilizing NetScaler situations are additionally affected by the vulnerabilities. Citrix is recommending that customers run the next instructions to terminate all energetic ICA and PCoIP periods in spite of everything NetScaler home equipment have been upgraded –
kill icaconnection -all kill pcoipConnection -all
The corporate can also be urging prospects of NetScaler ADC and NetScaler Gateway variations 12.1 and 13.0 to maneuver to a help model as they’re now Finish Of Life (EOL) and not supported.
Whereas there isn’t any proof that the flaw has been weaponized, watchTowr CEO Benjamin Harris mentioned it “checks all of the bins” for attacker curiosity and that exploitation may very well be across the nook.
“CVE-2025-5777 is shaping as much as be each bit as severe as CitrixBleed, a vulnerability that prompted havoc for end-users of Citrix Netscaler home equipment in 2023 and past because the preliminary breach vector for quite a few high-profile incidents,” Benjamin Harris, CEO at watchTowr, instructed The Hacker Information.
“The main points surrounding CVE-2025-5777 have quietly shifted since its preliminary disclosure, with pretty vital pre-requisites or limitations being faraway from the NVD CVE description — particularly, the remark that this vulnerability was within the lesser-exposed Administration Interface has now been eliminated — main us to consider that this vulnerability is considerably extra painful than maybe first signaled.”
