Cybersecurity researchers have detailed two now-patched safety flaws in SAP Graphical Person Interface (GUI) for Home windows and Java that, if efficiently exploited, may have enabled attackers to entry delicate data below sure circumstances.
The vulnerabilities, tracked as CVE-2025-0055 and CVE-2025-0056 (CVSS scores: 6.0), have been patched by SAP as a part of its month-to-month updates for January 2025.
“The analysis found that SAP GUI enter historical past is saved insecurely, each within the Java and Home windows variations,” Pathlock researcher Jonathan Stross mentioned in a report shared with The Hacker Information.
SAP GUI consumer historical past permits customers to entry beforehand entered values in enter fields with the objective of saving time and lowering errors. This historic data is saved regionally on units. This may embody usernames, nationwide IDs, social safety numbers (SSNs), checking account numbers, and inside SAP desk names.
The vulnerabilities recognized by Pathlock are rooted on this enter historical past characteristic, permitting an attacker with administrative privileges or entry to the sufferer’s consumer listing on the working system to entry the info inside a predefined listing based mostly on the SAP GUI variant.
- SAP GUI for Home windows – %APPDATApercentLocalLowSAPGUICacheHistorySAPHistory
.db - SAP GUI for Java – %APPDATApercentLocalLowSAPGUICacheHistory or $HOME/.SAPGUI/Cache/Historical past (Home windows or Linux) and $HOME/Library/Preferences/SAP/Cache/Historical past (macOS)
The difficulty is that the inputs are saved within the database file utilizing a weak XOR-based encryption scheme within the case of SAP GUI for Home windows, which makes them trivial to decode with minimal effort. In distinction, SAP GUI for Java shops these historic entries in an unencrypted vogue as Java serialized objects.
Consequently, relying on the consumer enter offered previously, the disclosed data may embody something between non-critical knowledge to extremely delicate knowledge, thereby impacting the confidentiality of the applying.
“Anybody with entry to the pc can doubtlessly entry the historical past file and all delicate data it shops,” Stross mentioned. “As a result of the info is saved regionally and weakly (or in no way) encrypted, exfiltration via HID injection assaults (like USB Rubber Ducky) or phishing turns into an actual menace.”
Pathlock additionally identified the 2 vulnerabilities served as a basis for a 3rd data disclosure flaw (CVE-2025-0059, CVSS rating: 6.0) in SAP NetWeaver Software Server ABAP, which is predicated on SAP GUI for HTML. Nonetheless, it doesn’t have a patch.
To mitigate any potential dangers related to data disclosure, it is suggested to disable the enter historical past performance and delete present database or serialized object recordsdata from the aforementioned directories.
Citrix Patches CVE-2025-5777
The disclosure comes as Citrix patched a critical-rated safety flaw in NetScaler ADC (CVE-2025-5777, CVSS rating: 9.3) that might be exploited by menace actors to achieve entry to prone home equipment.
The shortcoming stems from inadequate enter validation which will allow unauthorized attackers to seize legitimate session tokens from reminiscence through malformed requests, successfully bypassing authentication protections. Nonetheless, this solely works when Netscaler is configured as a Gateway or AAA digital server.
The vulnerability has been codenamed Citrix Bleed 2 by safety researcher Kevin Beaumont, owing to its similarities to CVE-2023-4966 (CVSS rating: 9.4), which got here below lively exploitation within the wild two years in the past.
It has been addressed within the following variations –
- NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases of 13.1
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPP
- NetScaler ADC 12.1-FIPS 12.1-55.328 and later releases of 12.1-FIPS
Safe Personal Entry on-prem or Safe Personal Entry Hybrid deployments utilizing NetScaler situations are additionally affected by the vulnerabilities. Citrix is recommending that customers run the next instructions to terminate all lively ICA and PCoIP periods in any case NetScaler home equipment have been upgraded –
kill icaconnection -all kill pcoipConnection -all
The corporate can also be urging prospects of NetScaler ADC and NetScaler Gateway variations 12.1 and 13.0 to maneuver to a help model as they’re now Finish Of Life (EOL) and now not supported.
Whereas there isn’t a proof that the flaw has been weaponized, watchTowr CEO Benjamin Harris mentioned it “checks all of the bins” for attacker curiosity and that exploitation might be across the nook.
“CVE-2025-5777 is shaping as much as be each bit as severe as CitrixBleed, a vulnerability that triggered havoc for end-users of Citrix Netscaler home equipment in 2023 and past because the preliminary breach vector for quite a few high-profile incidents,” Benjamin Harris, CEO at watchTowr, advised The Hacker Information.
“The small print surrounding CVE-2025-5777 have quietly shifted since its preliminary disclosure, with pretty essential pre-requisites or limitations being faraway from the NVD CVE description — particularly, the remark that this vulnerability was within the lesser-exposed Administration Interface has now been eliminated — main us to imagine that this vulnerability is considerably extra painful than maybe first signaled.”
Replace
ReliaQuest has revealed that it has “noticed indications of exploitation” of CVE-2025-5777 to acquire preliminary entry to focus on networks.
This consists of hijacked Citrix net periods from the NetScaler machine, with authentication granted with out consumer information, indicating MFA bypass. The cybersecurity firm additionally mentioned it detected the under habits –
- Session reuse throughout a number of IPs, together with mixtures of anticipated and suspicious IP addresses
- LDAP queries related to Energetic Listing reconnaissance actions
- A number of situations of the “ADExplorer64.exe” software throughout the setting which were used to question domain-level teams and permissions, in addition to a number of area controllers
- Citrix periods originating from data-center-hosting IP addresses, together with these related to DataCamp, alluding to using client VPN companies
Beaumont, in a put up shared on Mastodon, identified that if the vulnerability is being exploited, the assaults are “in all probability” performed by a ransomware group.
(The story was up to date after publication with insights from ReliaQuest.)
