SAP’s latest security bulletin sent ripples through enterprise IT teams, uncovering flaws in one of the most used enterprise tools: SAP GUI. Two medium-severity vulnerabilities (CVE-2025–0055 and CVE-2025–0056) in SAP GUI for Windows and Java reveal how innocuous features can evolve into exploitable weak points particularly when they handle sensitive memory.
At the heart of the issue lies SAP’s input history feature meant to simplify workflows, but now shown to potentially expose a treasure trove of confidential information. This includes usernames, national IDs, social security numbers, and internal table names all stored locally. The real concern? These are either weakly encrypted using XOR (Windows) or entirely unencrypted serialized objects (Java).
This kind of flaw is often underestimated. If an attacker gains local or administrative access, retrieving these history files becomes alarmingly easy. Combine this with a HID injection tool or phishing attack, and you’re looking at a stealthy, high-impact breach vector. In such cases, user data becomes low-hanging fruit accessible without triggering alarms, especially in environments where endpoint security hygiene is inconsistent.
Organizations relying heavily on SAP especially in financial services, manufacturing, and government should move swiftly. Disabling the input history feature and purging historical files is the first step. But broader awareness is needed: this is not merely about two CVEs; it’s about the pattern of over-trusting local application memory.
Meanwhile, a more ominous presence returns Citrix Bleed 2.
Citrix’s January 2025 patch round tackled CVE-2025–5777, a high-severity vulnerability eerily reminiscent of 2023’s CitrixBleed. Once again, authentication is bypassed this time through malformed requests that harvest session tokens from memory when NetScaler is configured as a Gateway or AAA virtual server.
This flaw is dangerously potent. It doesn’t need a sophisticated payload; it only requires unpatched systems and timing. Kevin Beaumont aptly dubbed it “Citrix Bleed 2” and given the prior damage caused by its predecessor, organizations are advised to act preemptively, not reactively.
Admins must upgrade to the patched versions immediately, then execute session termination commands (kill icaconnection -all, kill pcoipConnection -all) to invalidate compromised sessions. Also notable: NetScaler versions 12.1 and 13.0 are now officially EOL running; this is no longer an option for organizations prioritizing resilience.
Conclusion
These incidents underline a persistent cybersecurity theme: overlooked memory and session data can open massive security gaps. Whether it’s a user’s login history in SAP or session tokens in NetScaler, memory is often the last place teams think to secure and the first place attackers look.
Organizations must reevaluate how they store, encrypt, and manage user data and session states. Vigilance must extend beyond patching to reviewing defaults, disabling legacy conveniences, and training teams to recognize memory as a live attack surface.
About COE Security
COE Security partners with organizations in financial services, healthcare, retail, manufacturing, and government to secure AI-powered systems and ensure compliance. These latest SAP and Citrix vulnerabilities directly impact sectors that rely on ERP platforms and secure remote access areas where COE Security brings significant expertise.
We help by:
- Performing penetration testing and memory forensics to detect hidden leakage
- Guiding secure configuration of enterprise applications like SAP and NetScaler
- Strengthening endpoint and access control hygiene to block social engineering vectors
- Offering incident response readiness for legacy and modern platforms alike
Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA, and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customized training to embed AI security best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
- Customized CyberSecurity Services
Follow COE Security on LinkedIn for ongoing insights into safe, compliant AI adoption and stay ahead of stealthy risks like memory-based data leaks and rapidly evolving social engineering campaigns.
Click to read our LinkedIn feature article