Source: www.infosecurity-magazine.com – Author:
Two vulnerabilities in SAP’s Graphical User Interface (SAP GUI) input history feature have been disclosed, revealing weaknesses in how sensitive user data is stored locally.
The issues, discovered by Pathlock, affect both the Windows and Java versions of SAP GUI and are tracked as CVE-2025-0055 and CVE-2025-0056, respectively.
The vulnerabilities center on SAP GUI’s input history – a usability feature that stores user inputs like usernames or financial data to ease repetitive entry. However, researchers found that the stored data is either weakly encrypted or not encrypted at all.
“Pathlock’s research, coordinated with SAP and Fortinet, reveals that the SAP GUI ‘input history’ feature stores sensitive user-entered values in an unsafe manner,” said Jason Soroko, senior fellow at Sectigo.
On Windows systems, input history is saved in an SQLite3 database file located under “%APPDATA%LocalLowSAPGUICacheHistory.” This file uses static XOR-based encryption, which the researchers describe as trivial to reverse.
“A single known value is enough to recover that key and decrypt the rest of the database, exposing IDs, account numbers or other business data,” Soroko added.
For the Java version, the situation is worse. History data is saved as serialized objects with no encryption whatsoever.
“Anyone who gains local or remote file-system access […] can harvest the history files to accelerate lateral movement, craft convincing spear‑phishing or amass data that triggers GDPR, PCI DSS or HIPAA violations,” Soroko explained.
Read more on ERP platform security: China-Linked Threat Actors Target Taiwan Military Industry
Mayuresh Dani, security research manager at Qualys, also emphasized the gravity of the risk.
“CVE-2025-0055 and CVE-2025-0056 both represent a significant organizational risk stemming out of insecure local data storage practices,” he said.
“This extracted data provides attackers with enough gunpowder for reconnaissance activities […] to effectively compromise a targeted user and carry out further attacks.”
Compliance and Mitigation Concerns
Although both vulnerabilities carry a medium CVSS score of 6, their implications for compliance are significant. Improper handling of personally identifiable information (PII) could lead to audit failures under GDPR, HIPAA and PCI DSS standards.
To mitigate these risks:
-
Disable the input history feature in both Windows and Java versions
-
Remove existing history files from local directories
-
Apply SAP GUI updates: Windows 8.00 Patch Level 9+ and Java 7.80 PL9+ or 8.10
“SAP shipped stronger encryption updates in January 2025,” Soroko noted.
“However, the safest course is to eliminate the weakness entirely […] even after patching.”
The findings also laid the groundwork for identifying a related issue in SAP NetWeaver Application Server ABAP (CVE-2025-0059), which affects the SAP GUI for HTML. No patch currently exists for this variant.
“Successful chaining and exploitation of these vulnerabilities allows threat actors to reverse-engineer the insecure key […] and access the stored sensitive information,” Dani warned.
With fallback mechanisms still active, researchers urge full deactivation of input history features as a critical step in securing SAP environments.
Image credit: Wirestock Creators / Shutterstock.com
Original Post URL: https://www.infosecurity-magazine.com/news/sap-gui-vulnerable-weak-encryption/
Category & Tags: –
Views: 2
