SECURITY
SECURITY
SECURITY
Researchers uncover weak encryption in SAP user interface for Windows and Java
SAP SE today addressed two newly disclosed vulnerabilities in its SAP Graphical User Interface client applications following their discovery in coordinated research by Pathlock Inc. and Fortinet Inc.
The vulnerabilities, tracked as CVE-2025-0055 and CVE-2025-0056, involved weak or absent encryption in the input history function of SAP GUI for Windows and SAP GUI for Java, exposing sensitive user data stored on local machines. The vulnerabilities were found to stem from how SAP GUI stores user input history, a feature designed to improve usability by recalling frequently used data entries such as usernames, identification numbers and bank account numbers.
In the Windows version of SAP GUI, data was stored in an SQLite3 database using a weak XOR-based encryption scheme. The researchers from Pathlock and Fortinet found that the same static key is reused, making it easy to reverse-engineer and decrypt stored inputs. In the Java version, the data is stored entirely unencrypted in serialized objects, exposing information to any user with local access.
The vulnerabilities were assigned a Common Vulnerability Scoring System score of 6, meaning medium-severity. It’s not a score that screams high risk, but there is a real risk when it comes to regulatory compliance. Unsecured storage of personally identifiable information could lead to audit failures under standards such as the European Union’s General Data Protection Regulation, Health Insurance Portability and Accountability Act and Payment Card Industry Data Security Standard. Attackers could also use the exposed data for reconnaissance, privilege escalation or phishing campaigns.
SAP has released updates to address the issue: SAP GUI for Windows 8.00 Patch Level 9+ and SAP GUI for Java 7.80 PL9+ or 8.10. However, the researchers recommend disabling the input history feature entirely, as fallback mechanisms might still leave some data exposed. Registry-level settings and deletion of historical data files are advised for full mitigation.
Discussing the report, Mayuresh Dani, security research manager at the Qualys Threat Research Unit, told SiliconANGLE via email that these vulnerabilities represent a significant organizational risk.
“Even though password fields are excluded from SAP GUI’s input history, the scope of exposed sensitive data that a threat actor can access is extensive,” said Dani. “Successful chaining and exploitation of these vulnerabilities allows threat actors to reverse-engineer the insecure key to an SAP GUI user history file and access the stored sensitive information.”
Image: SiliconANGLE/Reve
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
