The impact could be much greater: Dani noted that a breach through these vulnerabilities can facilitate further targeted attacks. “Not undermining the fact that this extracted data provides attackers with enough gunpowder for reconnaissance activities, a threat actor could comprehend organizational structure, usage patterns, and system configurations from the exploitation of these vulnerabilities and weaponize them for personalization attacks such as spear phishing to effectively compromise a targeted user and carry out further attacks,” Dani said.The Pathlock research also led to the discovery of a related flaw in SAP NetWeaver AS ABAP, tracked as CVE-2025-0059, affecting SAP GUI for HTML stemming from the same underlying issue. While SAP has yet to patch this variant, Pathlock is concerned that patching might not be a permanent fix to these issues.According to Stross, fallback mechanisms can potentially undermine the updated versions released by SAP with stronger encryption SAP GUI for Windows 8.00 Patch Level 9+ and SAP GUI for Java 7.80 PL9+ or 8.10, making them ineffective.Pathlock recommends fully disabling input history to permanently mitigate the risk.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4012446/sap-gui-flaws-expose-sensitive-data-via-weak-or-no-encryption.html
