Cybersecurity researchers have detailed two currently patched security flaws in the SAP graphical user interface (GUI) for Windows and Java.
The vulnerabilities tracked as CVE-2025-0055 and CVE-2025-0056 (CVSS score: 6.0) were patched by SAP as part of the January 2025 monthly update.
“The study found that SAP GUI input history was unstable in both Java and Windows versions,” Pathlock researcher Jonathan Stross said in a report shared with Hacker News.
SAP GUI user history allows users to access values previously entered in input fields with the aim of saving time and reducing errors. This historical information is stored locally on the device. This includes your username, national ID, Social Security Number (SSN), bank account number, and internal SAP table name.
The vulnerability identified by PathLock is rooted in this input history feature, allowing access to data in predefined directories based on SAP GUI variants so that it can access user directories of attackers or victims on the operating system with administrative privileges.
sap gui for Windows -%appdata%\locallow\sapgui\cache\history\saphistory.db sap gui for java -appdata%\locallow\sapgui
The problem is that for Windows SAP GUI, input is stored in a database file using a weak XOR-based encryption scheme. This makes decoding easier with minimal effort. In contrast, the Java SAP GUI stores these historical entries as Java serialized objects in an unencrypted way.
As a result, in response to user input previously provided, the information disclosed could include anything between non-critical data for highly sensitive data, which will affect the confidentiality of your application.
“Anyone who has access to a computer may have access to history files and all the sensitive information they store,” Stross said. “Because data is stored locally and encrypted (or not at all), it is a real threat to peel it off via HID injection attacks (such as USB rubber duckies) or phishing.”
To mitigate the potential risks associated with disclosure, we recommend that you disable the input history feature and delete existing databases or serialized object files from the above directories.
CITRIX Patch CVE-2025-5777
This disclosure occurs because Citrix patched security flaws in the critical rating of Netscaler (CVE-2025-5777, CVSS score: 9.3).
The drawback is due to insufficient input validation, which can allow a rogue attacker to grab a valid session token from memory via a rogue request, effectively bypassing authentication protection. However, this only works if Netscaler is configured as a gateway or an AAA virtual server.
The vulnerability has been called Citrix Bleed 2 by security researcher Kevin Beaumont due to its similarity to CVE-2023-4966 (CVSS score: 9.4).
It is being handled in the following versions –
Releases the release of 13.1-FIPS and 13.1-NDCPP 13.1-37.235 and 13.1-FIPS for Netscaler ADC and Netscaler Gateway 14.1-43.56 and later, 13.1-NDCPP 13.1-FIPS for Netscaler ADC and Netscaler Gateway 13.1-58.32 and later releases for 13.1-NDCPP 13.1-37.235. 12.1-FIPS Release of 12.1-FIPS after 12.1-55.328
Secure private access on-plame or secure private access hybrid deployments using NetScaler instances are also vulnerable. Citrix recommends that the user run the following command to terminate all active ICA and PCOIP sessions after all Netscaler appliances have been upgraded –
icaconnection-kill all pcoipconnection-kill all
The company is also urging customers of Netscaler ADC and Netscaler Gateway versions 12.1 and 13.0 to move to the supported version as it is the current end (EOL) and is no longer supported.
There is no evidence that the flaws have been weaponized, but Watchtowr CEO Benjamin Harris described the attacker’s interest as “checking every box,” saying exploitation could be round the corner.
“CVE-2025-5777 is the vulnerability that wreaked havoc for end users of the Citrix Netscaler appliance in 2023, and the vulnerability as the first violation vector for many significant incidents,” Benjamin Harris, CEO of Hacktor, spoke.
“Details surrounding CVE-2025-5777 have quietly changed since its initial disclosure, with some rather important prerequisites or restrictions removed from the NVD CVE description. Specifically, the comment that this vulnerability lies in the lesser management interface has now been removed.
Source link
