Cybersecurity researchers have detailed two now-patched security flaws in SAP Graphical User Interface (GUI) for Windows and Java that, if successfully exploited, could have enabled attackers to access sensitive information under certain conditions.
The vulnerabilities, tracked as CVE-2025-0055 and CVE-2025-0056 (CVSS scores: 6.0), were patched by SAP as part of its monthly updates for January 2025.
“The research discovered that SAP GUI input history is stored insecurely, both in the Java and Windows versions,” Pathlock researcher Jonathan Stross said in a report shared with The Hacker News.
SAP GUI user history allows users to access previously entered values in input fields with the goal of saving time and reducing errors. This historical information is stored locally on devices. This can include usernames, national IDs, social security numbers (SSNs), bank account numbers, and internal SAP table names.
The vulnerabilities identified by Pathlock are rooted in this input history feature, allowing an attacker with administrative privileges or access to the victim’s user directory on the operating system to access the data within a predefined directory based on the SAP GUI variant.
- SAP GUI for Windows – %APPDATA%LocalLowSAPGUICacheHistorySAPHistory<WINUSER>.db
- SAP GUI for Java – %APPDATA%LocalLowSAPGUICacheHistory or $HOME/.SAPGUI/Cache/History (Windows or Linux) and $HOME/Library/Preferences/SAP/Cache/History (macOS)
The issue is that the inputs are saved in the database file using a weak XOR-based encryption scheme in the case of SAP GUI for Windows, which makes them trivial to decode with minimal effort. In contrast, SAP GUI for Java stores these historical entries in an unencrypted fashion as Java serialized objects.
As a result, depending on the user input provided in the past, the disclosed information could include anything between non-critical data to highly sensitive data, thereby impacting the confidentiality of the application.
“Anyone with access to the computer can potentially access the history file and all sensitive information it stores,” Stross said. “Because the data is stored locally and weakly (or not at all) encrypted, exfiltration through HID injection attacks (like USB Rubber Ducky) or phishing becomes a real threat.”
To mitigate any potential risks associated with information disclosure, it’s advised to disable the input history functionality and delete existing database or serialized object files from the aforementioned directories.
Citrix Patches CVE-2025-5777
The disclosure comes as Citrix patched a critical-rated security flaw in NetScaler (CVE-2025-5777, CVSS score: 9.3) that could be exploited by threat actors to gain access to susceptible appliances.
The shortcoming stems from insufficient input validation that may enable unauthorized attackers to grab valid session tokens from memory via malformed requests, effectively bypassing authentication protections. However, this only works when Netscaler is configured as a Gateway or AAA virtual server.
The vulnerability has been codenamed Citrix Bleed 2 by security researcher Kevin Beaumont, owing to its similarities to CVE-2023-4966 (CVSS score: 9.4), which came under active exploitation in the wild two years ago.
It has been addressed in the following versions –
- NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases of 13.1
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPP
- NetScaler ADC 12.1-FIPS 12.1-55.328 and later releases of 12.1-FIPS
Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities. Citrix is recommending that users run the following commands to terminate all active ICA and PCoIP sessions after all NetScaler appliances have been upgraded –
kill icaconnection -all kill pcoipConnection -all
The company is also urging customers of NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 to move to a support version as they are now End Of Life (EOL) and no longer supported.
While there is no evidence that the flaw has been weaponized, watchTowr CEO Benjamin Harris said it “checks all the boxes” for attacker interest and that exploitation could be around the corner.
“CVE-2025-5777 is shaping up to be every bit as serious as CitrixBleed, a vulnerability that caused havoc for end-users of Citrix Netscaler appliances in 2023 and beyond as the initial breach vector for numerous high-profile incidents,” Benjamin Harris, CEO at watchTowr, told The Hacker News.
“The details surrounding CVE-2025-5777 have quietly shifted since its initial disclosure, with fairly important pre-requisites or limitations being removed from the NVD CVE description — specifically, the comment that this vulnerability was in the lesser-exposed Management Interface has now been removed — leading us to believe that this vulnerability is significantly more painful than perhaps first signaled.”
