SAP has addressed two significant vulnerabilities in its Graphical User Interface (SAP GUI) input history feature, affecting both the Windows and Java versions of the client. These flaws, tracked as CVE-2025-0055 and CVE-2025-0056, posed a risk of sensitive data exposure due to insecure local storage of user input history.
Nature of the Vulnerabilities
The input history feature in SAP GUI is designed to improve user efficiency by recalling previously entered values—such as usernames, national IDs, account numbers, and other business-critical data—directly from the local machine. In SAP GUI for Windows, this data was stored in an SQLite3 database using a weak XOR-based encryption scheme. The encryption key was static and easily reversible, making the stored data trivial to decrypt for anyone with access to the file.
In SAP GUI for Java, the situation was even more severe: user input history was stored as unencrypted Java serialized objects, leaving sensitive data completely exposed to anyone with file system access.
Security and Compliance Risks
Anyone with administrative privileges or local access to the user’s operating system profile could retrieve and decode this information, potentially exposing personally identifiable information (PII) and business data. The vulnerabilities, while rated medium-severity (CVSS 6.0), have significant compliance implications. Improper storage of PII could lead to violations of GDPR, HIPAA, and PCI DSS, as well as increased risk of phishing, privilege escalation, and lateral movement within compromised environments.
Mitigation and Patch Information
SAP released patches in January 2025 to address these vulnerabilities:
• SAP GUI for Windows: Fixed in version 8.00 Patch Level 9 and above.
• SAP GUI for Java: Fixed in version 7.80 PL9 or 8.10 and above.
Recommended Actions
• Apply the latest patches for both SAP GUI for Windows and Java to ensure the input history is securely handled.
• Disable the input history feature entirely, as fallback mechanisms or legacy files may still pose a risk even after patching.
• Delete existing history files from the following directories to remove any residual sensitive
• Windows: %APPDATA%\LocalLow\SAPGUI\Cache\History\SAPHistory<WINUSER>.db
• Java (Windows/Linux): %APPDATA%\LocalLow\SAPGUI\Cache\History or $HOME/.SAPGUI/Cache/History
• Java (macOS): $HOME/Library/Preferences/SAP/Cache/History
• Administrators can also disable input history per field or globally as an additional precaution.
