Ethical Hacking News
Critical SAP GUI Vulnerabilities Exposed: A Threat to Sensitive Data and Token Theft
A newly disclosed vulnerability in Citrix NetScaler appliances has been identified as a critical security risk that can be exploited by threat actors to gain access to sensitive information. Additionally, SAP GUI for Windows and Java have been found to be vulnerable to exploitation due to weak input history storage schemes. In this article, we will delve into the details of these vulnerabilities and provide guidance on how users can mitigate any potential risks associated with them.
Citrix Bleed 2 vulnerability (CVE-2025-5777) can be exploited by threat actors to gain access to sensitive information stored in Citrix NetScaler appliances. SAP GUI for Windows and Java have been found to be vulnerable due to weak input history storage schemes, which could lead to token theft and exposure of sensitive data (CVE-2025-0055, CVE-2025-0056). The vulnerabilities can be mitigated by disabling the input history functionality and deleting existing database or serialized object files from affected directories.
Citrix Bleed 2, a newly disclosed vulnerability, has been identified as a critical security risk that can be exploited by threat actors to gain access to sensitive information stored in Citrix NetScaler appliances. Additionally, SAP GUI for Windows and Java have been found to be vulnerable to exploitation due to weak input history storage schemes, which could lead to token theft and exposure of sensitive data.
The vulnerability, tracked as CVE-2025-5777, has a CVSS score of 9.3, indicating that it is highly severe and can be exploited by threat actors with minimal effort. The patch for this vulnerability was released by Citrix in January 2025, but the company warned that users may still be at risk if they have not applied the update.
In a separate incident, SAP GUI for Windows and Java have been found to store input history insecurely, allowing attackers to access sensitive information such as usernames, national IDs, social security numbers, bank account numbers, and internal SAP table names. This vulnerability has been tracked as CVE-2025-0055 and CVE-2025-0056, with CVSS scores of 6.0.
The input history feature in SAP GUI is designed to allow users to access previously entered values in input fields, saving time and reducing errors. However, this feature can also be exploited by attackers who have administrative privileges or access to the victim's user directory on the operating system.
The vulnerabilities identified by Pathlock researcher Jonathan Stross are rooted in this input history feature, allowing an attacker to access the data within a predefined directory based on the SAP GUI variant. The affected directories include:
* SAP GUI for Windows - %APPDATA%\LocalLow\SAPGUI\Cache\History\SAPHistory.db
* SAP GUI for Java - %APPDATA%\LocalLow\SAPGUI\Cache\History or $HOME/.SAPGUI/Cache/History (Windows or Linux) and $HOME/Library/Preferences/SAP/Cache/History (macOS)
To mitigate any potential risks associated with these vulnerabilities, it is advised to disable the input history functionality and delete existing database or serialized object files from the aforementioned directories.
In addition to SAP GUI, Citrix NetScaler appliances have also been affected by a critical-rated security flaw that could be exploited by threat actors to gain access to susceptible appliances. The vulnerability, codenamed Citrix Bleed 2, was discovered by security researcher Kevin Beaumont and has a CVSS score of 9.4.
The vulnerability is rooted in insufficient input validation that may enable unauthorized attackers to grab valid session tokens from memory via malformed requests. However, this only works when Netscaler is configured as a Gateway or AAA virtual server.
To address the vulnerability, Citrix recommends that users run the following commands to terminate all active ICA and PCoIP sessions after all NetScaler appliances have been upgraded:
kill icaconnection -all
kill pcoipConnection -all
The company also urges customers of NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 to move to a support version as they are now End Of Life (EOL) and no longer supported.
While there is no evidence that the flaw has been weaponized, watchTowr CEO Benjamin Harris said it "checks all the boxes" for attacker interest and that exploitation could be around the corner.
"CVE-2025-5777 is shaping up to be every bit as serious as CitrixBleed, a vulnerability that caused havoc for end-users of Citrix Netscaler appliances in 2023 and beyond as the initial breach vector for numerous high-profile incidents," Benjamin Harris said.
The disclosure comes as Citrix patched the critical-rated security flaw in NetScaler (CVE-2025-5777), which could be exploited by threat actors to gain access to susceptible appliances. The vulnerability has been addressed in the following versions:
* NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases
* NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases of 13.1
* NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPP
* NetScaler ADC 12.1-FIPS 12.1-55.328 and later releases of 12.1-FIPS
Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities.
While there is no evidence that the flaw has been weaponized, watchTowr CEO Benjamin Harris said it "checks all the boxes" for attacker interest and that exploitation could be around the corner.
"CVE-2025-5777 is shaping up to be every bit as serious as CitrixBleed, a vulnerability that caused havoc for end-users of Citrix Netscaler appliances in 2023 and beyond as the initial breach vector for numerous high-profile incidents," Benjamin Harris said.
In conclusion, the vulnerabilities identified in SAP GUI and Citrix NetScaler appliances are critical security risks that can be exploited by threat actors to gain access to sensitive information. Users are advised to disable the input history functionality and delete existing database or serialized object files from the aforementioned directories to mitigate any potential risks associated with these vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/Critical-SAP-GUI-Vulnerabilities-Exposed-A-Threat-to-Sensitive-Data-and-Token-Theft-ehn.shtml
Published: Wed Jun 25 08:52:52 2025 by llama3.2 3B Q4_K_M
