Cybersecurity researchers have detailed two now-patched safety flaws in SAP Graphical Person Interface (GUI) for Home windows and Java that, if efficiently exploited, may have enabled attackers to entry delicate info beneath sure situations.
The vulnerabilities, tracked as CVE-2025-0055 and CVE-2025-0056 (CVSS scores: 6.0), have been patched by SAP as a part of its month-to-month updates for January 2025.
“The analysis found that SAP GUI enter historical past is saved insecurely, each within the Java and Home windows variations,” Pathlock researcher Jonathan Stross stated in a report shared with The Hacker Information.
SAP GUI consumer historical past permits customers to entry beforehand entered values in enter fields with the aim of saving time and lowering errors. This historic info is saved domestically on units. This could embody usernames, nationwide IDs, social safety numbers (SSNs), checking account numbers, and inside SAP desk names.
The vulnerabilities recognized by Pathlock are rooted on this enter historical past characteristic, permitting an attacker with administrative privileges or entry to the sufferer’s consumer listing on the working system to entry the info inside a predefined listing based mostly on the SAP GUI variant.
- SAP GUI for Home windows – %APPDATApercentLocalLowSAPGUICacheHistorySAPHistory
.db - SAP GUI for Java – %APPDATApercentLocalLowSAPGUICacheHistory or $HOME/.SAPGUI/Cache/Historical past (Home windows or Linux) and $HOME/Library/Preferences/SAP/Cache/Historical past (macOS)
The problem is that the inputs are saved within the database file utilizing a weak XOR-based encryption scheme within the case of SAP GUI for Home windows, which makes them trivial to decode with minimal effort. In distinction, SAP GUI for Java shops these historic entries in an unencrypted style as Java serialized objects.
Consequently, relying on the consumer enter offered up to now, the disclosed info may embody something between non-critical information to extremely delicate information, thereby impacting the confidentiality of the applying.
“Anybody with entry to the pc can doubtlessly entry the historical past file and all delicate info it shops,” Stross stated. “As a result of the info is saved domestically and weakly (or in no way) encrypted, exfiltration by HID injection assaults (like USB Rubber Ducky) or phishing turns into an actual risk.”
To mitigate any potential dangers related to info disclosure, it is suggested to disable the enter historical past performance and delete present database or serialized object recordsdata from the aforementioned directories.
Citrix Patches CVE-2025-5777
The disclosure comes as Citrix patched a critical-rated safety flaw in NetScaler (CVE-2025-5777, CVSS rating: 9.3) that may very well be exploited by risk actors to achieve entry to prone home equipment.
The shortcoming stems from inadequate enter validation that will allow unauthorized attackers to seize legitimate session tokens from reminiscence by way of malformed requests, successfully bypassing authentication protections. Nevertheless, this solely works when Netscaler is configured as a Gateway or AAA digital server.
The vulnerability has been codenamed Citrix Bleed 2 by safety researcher Kevin Beaumont, owing to its similarities to CVE-2023-4966 (CVSS rating: 9.4), which got here beneath lively exploitation within the wild two years in the past.
It has been addressed within the following variations –
- NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases of 13.1
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPP
- NetScaler ADC 12.1-FIPS 12.1-55.328 and later releases of 12.1-FIPS
Safe Personal Entry on-prem or Safe Personal Entry Hybrid deployments utilizing NetScaler cases are additionally affected by the vulnerabilities. Citrix is recommending that customers run the next instructions to terminate all lively ICA and PCoIP classes in any case NetScaler home equipment have been upgraded –
kill icaconnection -all kill pcoipConnection -all
The corporate can also be urging prospects of NetScaler ADC and NetScaler Gateway variations 12.1 and 13.0 to maneuver to a help model as they’re now Finish Of Life (EOL) and now not supported.
Whereas there is no such thing as a proof that the flaw has been weaponized, watchTowr CEO Benjamin Harris stated it “checks all of the bins” for attacker curiosity and that exploitation may very well be across the nook.
“CVE-2025-5777 is shaping as much as be each bit as severe as CitrixBleed, a vulnerability that triggered havoc for end-users of Citrix Netscaler home equipment in 2023 and past because the preliminary breach vector for quite a few high-profile incidents,” Benjamin Harris, CEO at watchTowr, informed The Hacker Information.
“The main points surrounding CVE-2025-5777 have quietly shifted since its preliminary disclosure, with pretty vital pre-requisites or limitations being faraway from the NVD CVE description — particularly, the remark that this vulnerability was within the lesser-exposed Administration Interface has now been eliminated — main us to consider that this vulnerability is considerably extra painful than maybe first signaled.”
