Cybersecurity researchers have uncovered and detailed two vulnerabilities in SAP’s Graphical User Interface (GUI) for Windows and Java, tracked as CVE-2025-0055 and CVE-2025-0056.

These flaws, now patched, could have allowed attackers to access sensitive user data stored locally on affected systems. The issue stems from the way SAP GUI stores input history—data such as usernames, SSNs, and bank account details—which was saved using either weak XOR-based encryption (Windows) or no encryption at all (Java). Researchers at Pathlock warned that attackers with access to a system could easily extract and misuse this information.

In addition, Pathlock identified a third related vulnerability, CVE-2025-0059, affecting SAP NetWeaver Application Server ABAP via the HTML-based GUI. This flaw, which remains unpatched, also exposes stored input history and highlights a broader security concern across SAP platforms. To mitigate risk, users are advised to disable the input history feature and delete the associated local files. The risk of exploitation through HID injection attacks or phishing is particularly concerning, given the local and insecure nature of the data storage.

Separately, Citrix has addressed a critical flaw in its NetScaler appliances, dubbed “Citrix Bleed 2” (CVE-2025-5777). This vulnerability, with a CVSS score of 9.3, allows unauthenticated attackers to obtain session tokens via crafted requests, bypassing authentication when NetScaler is configured as a Gateway or AAA virtual server. The bug affects multiple NetScaler versions, prompting urgent patching and session termination commands. Though not yet seen in active attacks, experts warn that exploitation is likely imminent due to the high-value access it provides. Customers using unsupported versions are strongly urged to upgrade to mitigate potential threats.