Full Report
Cybersecurity researchers have detailed two now-patched security flaws in SAP Graphical User Interface (GUI) for Windows and Java that, if successfully exploited, could have enabled attackers to access sensitive information under certain conditions. The vulnerabilities, tracked as CVE-2025-0055 and CVE-2025-0056 (CVSS scores: 6.0), were patched by SAP as part of its monthly updates for January
Analysis Summary
# Vulnerability: Insecure Storage of SAP GUI Input History (CVE-2025-0055 & CVE-2025-0056)
## CVE Details
- CVE ID: CVE-2025-0055 and CVE-2025-0056
- CVSS Score: 6.0 (Medium)
- CWE: Not specified in detail, but related to improper data protection/storage.
## Affected Systems
- Products: SAP Graphical User Interface (GUI) for Windows and SAP GUI for Java
- Versions: Not explicitly specified, but versions vulnerable prior to the January 2025 updates.
- Configurations: Any configuration where the input history functionality is enabled.
## Vulnerability Description
The vulnerabilities stem from the insecure local storage of SAP GUI input history data, which can contain sensitive information such as usernames, national IDs, SSNs, bank account numbers, and internal SAP table names.
* **SAP GUI for Windows (CVE-2025-0055):** Input history is stored using a weak XOR-based encryption scheme, making it trivial to decode.
* **SAP GUI for Java (CVE-2025-0056):** Input history is stored unencrypted as Java serialized objects.
An attacker who has administrative privileges or access to the victim's user directory on the operating system can access this data by locating the respective history database files.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but PoC readiness is implied due to trivial decoding/reading.
- Complexity: Low (due to weak/no encryption and local file access).
- Attack Vector: Local access to the victim's machine (e.g., via phishing that leads to local execution, or HID injection attacks like USB Rubber Ducky).
## Impact
- Confidentiality: High (Potential disclosure of highly sensitive personal and organizational data).
- Integrity: Low (Not the primary impact).
- Availability: Low (Not the primary impact).
## Remediation
### Patches
- Patches were released by SAP as part of their **January 2025 security updates**. Users must apply the relevant SAP GUI updates to resolve these issues.
### Workarounds
1. Disable the input history functionality within SAP GUI.
2. Manually delete existing history database or serialized object files from the following directories:
* **SAP GUI for Windows:** `%APPDATA%\LocalLow\SAPGUI\Cache\History\SAPHistory.db`
* **SAP GUI for Java (Windows):** `%APPDATA%\LocalLow\SAPGUI\Cache\History`
* **SAP GUI for Java (Linux):** `$HOME/.SAPGUI/Cache/History`
* **SAP GUI for Java (macOS):** `$HOME/Library/Preferences/SAP/Cache/History`
## Detection
- **Indicators of Compromise (IoCs):** Unauthorized access or modification of the specific proprietary history database files (`SAPHistory.db` or Java serialized object files) within the user's SAP GUI cache directories.
- **Detection Methods and Tools:** File integrity monitoring (FIM) tools monitoring the specified local application data paths for unauthorized file access or reading.
## References
- Vendor Advisory: SAP January 2025 security updates (link provided in context: support dot sap dot com slash en slash my-support slash knowledge-base slash security-notes-news slash january-2025 dot html)
- Research Disclosure: pathlock dot com slash blog slash security-alerts slash cve-2025-0055-and-2025-0056 slash (defanged)