SAP GUI Enter Historical past Discovered Weak to Weak Encryption

Two vulnerabilities in SAP’s Graphical Consumer Interface (SAP GUI) enter historical past function have been disclosed, revealing weaknesses in how delicate person knowledge is saved domestically.

The problems, found by Pathlock, have an effect on each the Home windows and Java variations of SAP GUI and are tracked as CVE-2025-0055 and CVE-2025-0056, respectively.

The vulnerabilities middle on SAP GUI’s enter historical past – a usability function that shops person inputs like usernames or monetary knowledge to ease repetitive entry. Nevertheless, researchers discovered that the saved knowledge is both weakly encrypted or not encrypted in any respect.

“Pathlock’s analysis, coordinated with SAP and Fortinet, reveals that the SAP GUI ‘enter historical past’ function shops delicate user-entered values in an unsafe method,” mentioned Jason Soroko, senior fellow at Sectigo.

On Home windows methods, enter historical past is saved in an SQLite3 database file positioned beneath “%APPDATApercentLocalLowSAPGUICacheHistory.” This file makes use of static XOR-based encryption, which the researchers describe as trivial to reverse.

“A single recognized worth is sufficient to recuperate that key and decrypt the remainder of the database, exposing IDs, account numbers or different enterprise knowledge,” Soroko added.

For the Java model, the state of affairs is worse. Historical past knowledge is saved as serialized objects with no encryption in any respect.

“Anybody who features native or distant file-system entry […] can harvest the historical past recordsdata to speed up lateral motion, craft convincing spear‑phishing or amass knowledge that triggers GDPR, PCI DSS or HIPAA violations,” Soroko defined.

Mayuresh Dani, safety analysis supervisor at Qualys, additionally emphasised the gravity of the danger.

“CVE-2025-0055 and CVE-2025-0056 each symbolize a big organizational danger stemming out of insecure native knowledge storage practices,” he mentioned.

“This extracted knowledge gives attackers with sufficient gunpowder for reconnaissance actions […] to successfully compromise a focused person and perform additional assaults.”

Compliance and Mitigation Considerations

Though each vulnerabilities carry a medium CVSS rating of 6, their implications for compliance are important. Improper dealing with of personally identifiable info (PII) might result in audit failures beneath GDPR, HIPAA and PCI DSS requirements.

To mitigate these dangers:

Disable the enter historical past function in each Home windows and Java variations
Take away current historical past recordsdata from native directories
Apply SAP GUI updates: Home windows 8.00 Patch Degree 9+ and Java 7.80 PL9+ or 8.10

“SAP shipped stronger encryption updates in January 2025,” Soroko famous.

“Nevertheless, the most secure course is to get rid of the weak spot fully […] even after patching.”

The findings additionally laid the groundwork for figuring out a associated challenge in SAP NetWeaver Utility Server ABAP (CVE-2025-0059), which impacts the SAP GUI for HTML. No patch at the moment exists for this variant.

“Profitable chaining and exploitation of those vulnerabilities permits risk actors to reverse-engineer the insecure key […] and entry the saved delicate info,” Dani warned.

With fallback mechanisms nonetheless energetic, researchers urge full deactivation of enter historical past options as a important step in securing SAP environments.

Picture credit score: Wirestock Creators / Shutterstock.com