Cybersecurity researchers described two security deficiencies in Graphic user interface SAP (GUI) for Windows and Java, which, if used successfully, could allow the attackers to access secret information under certain conditions.
Vulnerabilities tracked as Cve-2025-0055 and Cve-2025-0056 (CVSS results: 6.0) were secured by SAP as part of its Monthly updates for January 2025.
“The study found that the SAP GUI input history is uncertain, both in Java and Windows versions,” Pathlock researcher Jonathan Strings – Note In a report that shared with Hacker News.
The story of SAP GUI users allow Users to access previously introduced values into the entry fields in order to maintain time and reduce errors. This historical information is stored locally on the devices. These include user names, national identifiers, social insurance numbers (SSNS), bank accounts and internal SAP table names.
The vulnerabilities defined by Pathlock are introduced in this entry history, allowing an attacker with administrative privileges or accessing the victim user on the operating system to access the data in a predetermined directory based on the SAP GUI option.
- GUI SAP for Windows – %AppData %\ LOCALLOW \ SAPGUI \ Cache \ History \ sapistory
.Db - GUI SAP for Java – %AppData %\ LOCALLOW \ SAPGUI \ Cache \ Storif
The problem is that the inputs are stored in the database file using a weak Xor encryption scheme in the case of SAP GUI for Windows, making them trivial with minimal effort. Unlike this, the GUI SAP for Java keeps these historical records in an unexplained form as serialized Java objects.
As a result, depending on the input of the user presented in the past, the disclosed information may include anything between non-critical data to very sensitive data, which affects the privacy of the application.
“Anyone who has access to a computer can potentially access the story file and all confidential information it stores,” Straz said. “As the data is stored on the local and weak (or not at all encrypted), the expansion through the attacks of the injection hidden (such as GUM USB Ducky) or phishing is becoming a real threat.”
To mitigate any potential risks associated with disclosure, it is recommended to disable the input history and delete existing databases or serialized object files from the above directories.
Patch Citrix Cve-2025-577
Discovering information occurs as Citrix Latch Critically assessed security lack of NetsCalery (CVE-2015-577, CVSS: 9.3), which can be used by threat subjects to access sensitive technology.
Disadvantages are related to insufficient insignia, which can allow unauthorized attackers to seize true brands from memory through incorrect requests, effectively bypassing the protection of authentication. However, this only works when NetsCale is configured as a gateway or AAA virtual server.
The vulnerability was coded Citrix leaves in Bleed 2 Kevin Bamont’s security researchers, thanks to his likeness with Cve-2023-4966 (CVSS assessment: 9.4), which was actively operating in the wild two years ago.
It was address In the following versions –
- NetsCaler ADC and NetsCaler Gateway 14.1-43.56 and Later Issues
- NetsCaler ADC and NetsCaler Gateway 13.1-58.32 and Later Issues 13.1
- NetsCaler ADC 13.1-Ripes and 13.1-Ndcpp 13.1-37.235 and later issues 13.1 and 13.1-Ndcpp
- NetsCaler ADC 12.1-SPIE
Reliable vulnerabilities also affect safe private access to Prem or safe hybrid deployment of private access using NetsCale specimens. Citrix recommends users to perform the following commands to stop all active ICA and PCOIP sessions after all NetsCalers have been updated –
kill icaconnection -all kill pcoipConnection -all
The company also calls on customers the version of NetsCaler ADC and NetsCaler Gateway 12.1 and 13.0 to go to the support version as they are now the end of life (EOL) and are no longer supported.
Although there is no evidence that the deficiency was armed, Watchtowr CEO Benjamin Harris said he “checks all the boxes” for the attacker’s interest and that exploitation could be around the corner.
“CVE-2025-5777 creates in every possible way as Citrixbled, a vulnerability that caused chaos for the end users of Citrix NetsCaler in 2023 and further as the initial vector of violations for many candidates,” said Benjamin Harris, director, director.
“Details related to the CVE-2025-5777 have quietly shifted from the moment of their initial disclosure of information, while quite important preliminary requirements or restrictions were deleted from the NVD Cve-privacy description, a comment that this vulnerability was in a less paid control interface forced us to believe that this vulnerability is much more painful.
