SAP GUI, a trusted interface for hundreds of thousands of global enterprises, has been found to be storing sensitive user data with outdated encryption, potentially allowing data breaches.
According to Pathlock researcher Jonathan Stross and Fortinet’s Julian Petersohn, a couple of information disclosure vulnerabilities affect the product’s user input history feature in its Windows (CVE-2025-0055) and Java (CVE-2025-0056) versions.
The newly disclosed vulnerabilities affect how user-entered data like usernames, national IDs, and bank account numbers are stored locally, either unencrypted or protected with a weak, reusable XOR key.
“CVE-2025-0055 and CVE-2025-0056 both represent a significant organizational risk stemming from insecure local data storage practices,” said Mayuresh Dani, security research manager at Qualys. “Even though password fields are excluded from SAP GUI’s input history, the scope of exposed sensitive data that a threat actor can access is extensive.”
SAP, in coordination with the Pathlock team, silently issued relevant security patches and mitigation steps in January 2025, accessible only to SAP GUI customers.
Weak XOR encryption is exploitable
At the heart of CVE-2025-0055 lies a simple encryption failure. SAP GUI for Windows stashes previously entered values, such as user IDs or SSNs, in a local SQLite database file using exclusive OR (XOR)-based encryption. However, the encryption uses the same static key for every entry, and a single known value is enough to decrypt the rest.
“The inputs are saved in a SQLite3 database file (SAPHistory<WINUSER>.db) using a weak XOR-based encryption scheme, which makes them trivial to reverse with minimal effort,“ Pathlok’s Stross said in a blog post.
CVE-2025-0056 revealed an even laxer approach in SAP GUI for Java, where history data is stored completely unencrypted. That means serialized Java objects holding sensitive user inputs can be freely accessed by anyone who can get onto the machine.
The problem is much greater on Java clients, according to Jason Soroko, senior fellow at Sectigo. “The same history is written to platform‑specific folders as plain, serialized Java objects — no encryption at all,” he said. “Anyone who gains local or remote file‑system access to a stolen laptop, a compromised workstation, or to a simple phishing foothold can harvest the history files to accelerate lateral movement, craft convincing spear‑phishing, or amass data that triggers compliance violations.”
Pathlok, too, warned that despite a medium CVSS rating of 6 out of 10, the flaws could lead to compliance issues, citing risks of audit failures under GDPR, PCI DSS, or HIPAA. SAP did not respond to queries on this matter.
The impact could be much greater
Dani noted that a breach through these vulnerabilities can facilitate further targeted attacks. “Not undermining the fact that this extracted data provides attackers with enough gunpowder for reconnaissance activities, a threat actor could comprehend organizational structure, usage patterns, and system configurations from the exploitation of these vulnerabilities and weaponize them for personalization attacks such as spear phishing to effectively compromise a targeted user and carry out further attacks,” Dani said.
The Pathlock research also led to the discovery of a related flaw in SAP NetWeaver AS ABAP, tracked as CVE-2025-0059, affecting SAP GUI for HTML stemming from the same underlying issue. While SAP has yet to patch this variant, Pathlock is concerned that patching might not be a permanent fix to these issues.
According to Stross, fallback mechanisms can potentially undermine the updated versions released by SAP with stronger encryption – SAP GUI for Windows 8.00 Patch Level 9+ and SAP GUI for Java 7.80 PL9+ or 8.10, making them ineffective.
Pathlock recommends fully disabling input history to permanently mitigate the risk.