Recent cybersecurity analyses have uncovered significant vulnerabilities in widely used enterprise systems, notably Citrix NetScaler appliances and SAP Graphical User Interface (GUI) platforms. These flaws, if exploited, could lead to unauthorized access and potential data breaches, underscoring the critical need for immediate attention and remediation.
Citrix NetScaler Vulnerability: CVE-2025-5777
Citrix has identified and patched a critical security flaw in its NetScaler Application Delivery Controller (ADC) and Gateway appliances, designated as CVE-2025-5777 with a Common Vulnerability Scoring System (CVSS) score of 9.3. This vulnerability arises from insufficient input validation, allowing unauthorized attackers to extract valid session tokens from memory through specially crafted requests. Such exploitation effectively bypasses authentication mechanisms, granting attackers unauthorized access to the system.
The issue is particularly concerning when NetScaler is configured as a Gateway or Authentication, Authorization, and Accounting (AAA) virtual server. Security researcher Kevin Beaumont has dubbed this flaw Citrix Bleed 2, drawing parallels to the previously exploited CVE-2023-4966, known as Citrix Bleed, which had a CVSS score of 9.4 and was actively exploited in the wild two years prior.
Citrix has addressed this vulnerability in the following software versions:
– NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases
– NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases of 13.1
– NetScaler ADC 13.1-FIPS and 12.1-FIPS versions
Administrators are strongly urged to update their systems to these patched versions promptly to mitigate potential risks.
SAP GUI Vulnerabilities: CVE-2025-0055 and CVE-2025-0056
In parallel, cybersecurity researchers have detailed two now-patched security flaws in SAP’s Graphical User Interface (GUI) for Windows and Java, identified as CVE-2025-0055 and CVE-2025-0056, each with a CVSS score of 6.0. These vulnerabilities, if exploited, could have enabled attackers to access sensitive information under certain conditions.
The vulnerabilities stem from the way SAP GUI handles input history, a feature that allows users to access previously entered values in input fields to save time and reduce errors. This historical information is stored locally on devices and can include sensitive data such as usernames, national IDs, social security numbers (SSNs), bank account numbers, and internal SAP table names.
The identified issues are as follows:
– SAP GUI for Windows: The input history is stored in a database file located at `%APPDATA%\LocalLow\SAPGUI\Cache\History\SAPHistory
– SAP GUI for Java: The input history is stored in unencrypted Java serialized objects within directories such as `%APPDATA%\LocalLow\SAPGUI\Cache\History` (Windows) or `$HOME/.SAPGUI/Cache/History` (Linux), and `$HOME/Library/Preferences/SAP/Cache/History` (macOS).
As a result, an attacker with administrative privileges or access to the victim’s user directory on the operating system could access this data, leading to potential confidentiality breaches.
To mitigate these risks, it is advised to disable the input history functionality and delete existing database or serialized object files from the aforementioned directories.
Implications and Recommendations
The discovery of these vulnerabilities highlights the ongoing challenges in securing enterprise systems against sophisticated cyber threats. Organizations utilizing Citrix NetScaler appliances and SAP GUI platforms should take the following actions:
1. Immediate Patching: Apply the latest security updates provided by Citrix and SAP to address the identified vulnerabilities.
2. Review Configurations: Ensure that system configurations do not expose unnecessary attack surfaces, particularly in the case of NetScaler appliances configured as Gateways or AAA virtual servers.
3. Disable Vulnerable Features: In the case of SAP GUI, disable the input history feature to prevent the storage of sensitive information in an insecure manner.
4. Monitor Systems: Implement robust monitoring to detect any unauthorized access or unusual activity that may indicate exploitation attempts.
5. Educate Users: Inform users about the importance of safeguarding sensitive information and the potential risks associated with input history features.
By proactively addressing these vulnerabilities and implementing comprehensive security measures, organizations can significantly reduce the risk of data breaches and maintain the integrity of their systems.
