{"id":14312,"date":"2025-06-26T01:19:36","date_gmt":"2025-06-26T01:19:36","guid":{"rendered":"https:\/\/newestek.com\/?p=14312"},"modified":"2025-06-26T01:19:36","modified_gmt":"2025-06-26T01:19:36","slug":"sap-gui-flaws-expose-sensitive-data-via-weak-or-no-encryption","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14312","title":{"rendered":"SAP GUI flaws expose sensitive data via weak or no encryption"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>SAP GUI, a trusted interface for hundreds of thousands of global enterprises, has been found to be storing sensitive user data with outdated encryption, potentially allowing data breaches.<\/p>\n<p>According to Pathlock researcher Jonathan Stross and Fortinet\u2019s Julian Petersohn, a couple of information disclosure vulnerabilities affect the product\u2019s user input history feature in its Windows (CVE-2025-0055) and Java (CVE-2025-0056) versions.<\/p>\n<p>The newly disclosed vulnerabilities affect how user-entered data like usernames, national IDs, and bank account numbers are stored locally, either unencrypted or protected with a weak, reusable XOR key.<\/p>\n<p>\u201cCVE-2025-0055 and CVE-2025-0056 both represent a significant organizational risk stemming from insecure local data storage practices,\u201d said Mayuresh Dani, security research manager at Qualys. \u201cEven though password fields are excluded from SAP GUI\u2019s input history, the scope of exposed sensitive data that a threat actor can access is extensive.\u201d<\/p>\n<p>SAP, in coordination with the Pathlock team, silently issued relevant <a href=\"https:\/\/support.sap.com\/en\/my-support\/knowledge-base\/security-notes-news\/january-2025.html\" target=\"_blank\" rel=\"noreferrer noopener\">security patches<\/a> and mitigation steps in January 2025, accessible only to SAP GUI customers.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Weak XOR encryption is exploitable<\/h2>\n<p>At the heart of CVE-2025-0055 lies a simple encryption failure. SAP GUI for Windows stashes previously entered values, such as user IDs or SSNs, in a local SQLite database file using exclusive OR (XOR)-based encryption. However, the encryption uses the same static key for every entry, and a single known value is enough to decrypt the rest.<\/p>\n<p>\u201cThe inputs are saved in a SQLite3 database file (SAPHistory&lt;WINUSER&gt;.db) using a weak XOR-based encryption scheme, which makes them trivial to reverse with minimal effort,\u201c Pathlok\u2019s Stross said in a blog <a href=\"https:\/\/pathlock.com\/blog\/security-alerts\/cve-2025-0055-and-2025-0056\/\" target=\"_blank\" rel=\"noreferrer noopener\">post<\/a>.<\/p>\n<p>CVE-2025-0056 revealed an even laxer approach in SAP GUI for Java, where history data is stored completely unencrypted. That means serialized Java objects holding sensitive user inputs can be freely accessed by anyone who can get onto the machine.<\/p>\n<p>The problem is much greater on Java clients, according to Jason Soroko, senior fellow at Sectigo. \u201cThe same history is written to platform\u2011specific folders as plain, serialized Java objects \u2014 no encryption at all,\u201d he said. \u201cAnyone who gains local or remote file\u2011system access to a stolen laptop, a compromised workstation, or to a simple phishing foothold can harvest the history files to accelerate lateral movement, craft convincing spear\u2011phishing, or amass data that triggers compliance violations.\u201d<\/p>\n<p>Pathlok, too, warned that despite a medium CVSS rating of 6 out of 10, the flaws could lead to compliance issues, citing risks of audit failures under <a href=\"https:\/\/www.csoonline.com\/article\/562107\/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html?utm=hybrid_search\">GDPR<\/a>, <a href=\"https:\/\/www.csoonline.com\/article\/3812511\/use-payment-tech-and-still-not-ready-for-pci-dss-4-0-you-could-face-stiff-penalties.html?utm=hybrid_search\">PCI DSS<\/a>, or HIPAA.\u00a0SAP did not respond to queries on this matter.<\/p>\n<h2 class=\"wp-block-heading\" id=\"the-impact-could-be-much-greater\">The impact could be much greater<\/h2>\n<p>Dani noted that a breach through these vulnerabilities can facilitate further targeted attacks. \u201cNot undermining the fact that this extracted data provides attackers with enough gunpowder for reconnaissance activities, a threat actor could comprehend organizational structure, usage patterns, and system configurations from the exploitation of these vulnerabilities and weaponize them for personalization attacks such as spear phishing to effectively compromise a targeted user and carry out further attacks,\u201d Dani said.<\/p>\n<p>The Pathlock research also led to the discovery of a related flaw in SAP NetWeaver AS ABAP, tracked as CVE-2025-0059, affecting SAP GUI for HTML stemming from the same underlying issue. While SAP has yet to patch this variant, Pathlock is concerned that patching might not be a permanent fix to these issues.<\/p>\n<p>According to Stross, fallback mechanisms can potentially undermine the updated versions released by SAP with stronger encryption \u2013 SAP GUI for Windows 8.00 Patch Level 9+ and SAP GUI for Java 7.80 PL9+ or 8.10, making them ineffective.<\/p>\n<p>Pathlock recommends fully disabling input history to permanently mitigate the risk.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>SAP GUI, a trusted interface for hundreds of thousands of global enterprises, has been found to be storing sensitive user data with outdated encryption, potentially allowing data breaches. According to Pathlock researcher Jonathan Stross and Fortinet\u2019s Julian Petersohn, a couple of information disclosure vulnerabilities affect the product\u2019s user input history feature in its Windows (CVE-2025-0055) and Java (CVE-2025-0056) versions. The newly disclosed vulnerabilities affect how&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=14312\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14312","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14312","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14312"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14312\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14312"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14312"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14312"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}