Full Report
Two SAP GUI vulnerabilities have been identified exposing sensitive data due to weak encryption in input history features
Analysis Summary
# Vulnerability: SAP GUI Input History Stored with Weak or No Encryption
## CVE Details
- CVE ID: CVE-2025-0055, CVE-2025-0056 (Note: Specific CVSS scores and CWE identifiers were not provided in the source text.)
- CVSS Score: N/A
- CWE: CWE-311 (Missing Encryption of Sensitive Data) or similar, due to weak/no encryption.
## Affected Systems
- Products: SAP Graphical User Interface (SAP GUI) for Windows and SAP GUI for Java.
- Versions: Not explicitly specified, but affects historical versions utilizing this input history feature.
- Configurations: Any installation utilizing the input history feature for storing user inputs (usernames, financial data, business data).
## Vulnerability Description
Two related vulnerabilities exist in the SAP GUI input history feature across Windows and Java versions. This feature stores user inputs for convenience.
1. **SAP GUI for Windows (CVE-2025-0055):** Input history is stored in an SQLite3 database file (`%APPDATA%\LocalLow\SAPGUI\Cache\History`). This data is protected using a static XOR-based encryption, which is considered trivially reversible if a single known plaintext/ciphertext pair is obtained.
2. **SAP GUI for Java (CVE-2025-0056):** Input history data is stored as serialized objects with **no encryption** applied.
## Exploitation
- Status: Likely potential for exploitation, as PoC/details are available through researcher disclosure.
- Complexity: Low (for Windows version, as key recovery is simple given one value). Very Low (for Java version, as data is unencrypted).
- Attack Vector: Local file system access is required to read the stored history files.
## Impact
- Confidentiality: High (Sensitive data such as usernames, account numbers, and other business data can be exposed).
- Integrity: Low/Medium (Disclosure doesn't directly alter data, but exposed credentials/data can lead to integrity compromises).
- Availability: Low (The vulnerability does not directly affect the availability of the service).
## Remediation
### Patches
- Patches are available from SAP corresponding to CVE-2025-0055 and CVE-2025-0056. Users must apply the relevant SAP security updates.
### Workarounds
- Disable the input history feature within SAP GUI settings if immediate patching is not possible.
## Detection
- **Indicators of Compromise (IOCs):** Unauthorized access or exfiltration of the SAP GUI cache directory (`%APPDATA%\LocalLow\SAPGUI\Cache\History` on Windows).
- **Detection Methods and Tools:**
- File integrity monitoring (FIM) on the specified history database/cache locations.
- Endpoint Detection and Response (EDR) tools should monitor for processes accessing this specific directory structure if credentials or sensitive data exposure is suspected.
## References
- Vendor advisories are implied by the coordinated disclosure with SAP.
- Relevant links - defanged:
- Infosecurity Magazine Article: `infosecurity-magazine-com/news/sap-gui-vulnerable-weak-encryption/`