Jun 25, 2025Ravie LakshmananData Privateness / Vulnerability
Cybersecurity researchers have detailed two now-patched safety flaws in SAP Graphical Person Interface (GUI) for Home windows and Java that, if efficiently exploited, might have enabled attackers to entry delicate info below sure circumstances.
The vulnerabilities, tracked as CVE-2025-0055 and CVE-2025-0056 (CVSS scores: 6.0), have been patched by SAP as a part of its month-to-month updates for January 2025.
“The analysis found that SAP GUI enter historical past is saved insecurely, each within the Java and Home windows variations,” Pathlock researcher Jonathan Stross mentioned in a report shared with The Hacker Information.
SAP GUI consumer historical past permits customers to entry beforehand entered values in enter fields with the objective of saving time and lowering errors. This historic info is saved regionally on units. This may embrace usernames, nationwide IDs, social safety numbers (SSNs), checking account numbers, and inside SAP desk names.
The vulnerabilities recognized by Pathlock are rooted on this enter historical past characteristic, permitting an attacker with administrative privileges or entry to the sufferer’s consumer listing on the working system to entry the info inside a predefined listing based mostly on the SAP GUI variant.
SAP GUI for Home windows – %APPDATApercentLocalLowSAPGUICacheHistorySAPHistory<WINUSER>.db
SAP GUI for Java – %APPDATApercentLocalLowSAPGUICacheHistory or $HOME/.SAPGUI/Cache/Historical past (Home windows or Linux) and $HOME/Library/Preferences/SAP/Cache/Historical past (macOS)
The problem is that the inputs are saved within the database file utilizing a weak XOR-based encryption scheme within the case of SAP GUI for Home windows, which makes them trivial to decode with minimal effort. In distinction, SAP GUI for Java shops these historic entries in an unencrypted trend as Java serialized objects.
In consequence, relying on the consumer enter supplied up to now, the disclosed info might embrace something between non-critical information to extremely delicate information, thereby impacting the confidentiality of the appliance.
“Anybody with entry to the pc can probably entry the historical past file and all delicate info it shops,” Stross mentioned. “As a result of the info is saved regionally and weakly (or under no circumstances) encrypted, exfiltration via HID injection assaults (like USB Rubber Ducky) or phishing turns into an actual risk.”
To mitigate any potential dangers related to info disclosure, it is suggested to disable the enter historical past performance and delete present database or serialized object recordsdata from the aforementioned directories.
Citrix Patches CVE-2025-5777
The disclosure comes as Citrix patched a critical-rated safety flaw in NetScaler (CVE-2025-5777, CVSS rating: 9.3) that might be exploited by risk actors to achieve entry to prone home equipment.
The shortcoming stems from inadequate enter validation which will allow unauthorized attackers to seize legitimate session tokens from reminiscence through malformed requests, successfully bypassing authentication protections. Nonetheless, this solely works when Netscaler is configured as a Gateway or AAA digital server.
The vulnerability has been codenamed Citrix Bleed 2 by safety researcher Kevin Beaumont, owing to its similarities to CVE-2023-4966 (CVSS rating: 9.4), which got here below energetic exploitation within the wild two years in the past.
It has been addressed within the following variations –
NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases
NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPP
NetScaler ADC 12.1-FIPS 12.1-55.328 and later releases of 12.1-FIPS
Safe Personal Entry on-prem or Safe Personal Entry Hybrid deployments utilizing NetScaler cases are additionally affected by the vulnerabilities. Citrix is recommending that customers run the next instructions to terminate all energetic ICA and PCoIP periods in any case NetScaler home equipment have been upgraded –
kill icaconnection -all
kill pcoipConnection -all
The corporate can also be urging clients of NetScaler ADC and NetScaler Gateway variations 12.1 and 13.0 to maneuver to a assist model as they’re now Finish Of Life (EOL) and not supported.
Whereas there isn’t a proof that the flaw has been weaponized, watchTowr CEO Benjamin Harris mentioned it “checks all of the containers” for attacker curiosity and that exploitation might be across the nook.
“CVE-2025-5777 is shaping as much as be each bit as severe as CitrixBleed, a vulnerability that brought on havoc for end-users of Citrix Netscaler home equipment in 2023 and past because the preliminary breach vector for quite a few high-profile incidents,” Benjamin Harris, CEO at watchTowr, instructed The Hacker Information.
“The small print surrounding CVE-2025-5777 have quietly shifted since its preliminary disclosure, with pretty vital pre-requisites or limitations being faraway from the NVD CVE description — particularly, the remark that this vulnerability was within the lesser-exposed Administration Interface has now been eliminated — main us to imagine that this vulnerability is considerably extra painful than maybe first signaled.”
Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.
