SAP SE today addressed two newly disclosed vulnerabilities in its SAP Graphical User Interface client applications following their discovery in coordinated research by Pathlock Inc. and Fortinet Inc.

The vulnerabilities, tracked as CVE-2025-0055 and CVE-2025-0056, involved weak or absent encryption in the input history function of SAP GUI for Windows and SAP GUI for Java, exposing sensitive user data stored on local machines. The vulnerabilities were found to stem from how SAP GUI stores user input history, a feature designed to improve usability by recalling frequently used data entries such as usernames, identification numbers and bank account numbers.

In the Windows version of SAP GUI, data was stored in an SQLite3 database using a weak XOR-based encryption scheme. The researchers from Pathlock and Fortinet found that the same static key is reused, making it easy to reverse-engineer and decrypt stored inputs. In the Java version, the data is stored entirely unencrypted in serialized objects, exposing information to any user with local access.

The vulnerabilities were assigned a Common Vulnerability Scoring System score of 6, meaning medium-severity. It’s not a score that screams high risk, but there is a real risk when it comes to regulatory compliance. Unsecured storage of personally identifiable information could lead to audit failures under standards such as the European Union’s General Data Protection Regulation, Health Insurance Portability and Accountability Act and Payment Card Industry Data Security Standard. Attackers could also use the exposed data for reconnaissance, privilege escalation or phishing campaigns.

SAP has released updates to address the issue: SAP GUI for Windows 8.00 Patch Level 9+ and SAP GUI for Java 7.80 PL9+ or 8.10. However, the researchers recommend disabling the input history feature entirely, as fallback mechanisms might still leave some data exposed. Registry-level settings and deletion of historical data files are advised for full mitigation.

Discussing the report, Mayuresh Dani, security research manager at the Qualys Threat Research Unit, told SiliconANGLE via email that these vulnerabilities represent a significant organizational risk.

“Even though password fields are excluded from SAP GUI’s input history, the scope of exposed sensitive data that a threat actor can access is extensive,” said Dani. “Successful chaining and exploitation of these vulnerabilities allows threat actors to reverse-engineer the insecure key to an SAP GUI user history file and access the stored sensitive information.”

Image: SiliconANGLE/Reve