Citrix Bleed 2 Vulnerability Allows Token Theft; SAP GUI Flaws Threaten Sensitive Data Security

June 25, 2025
Data Privacy / Vulnerability

Cybersecurity experts have unveiled two recently patched vulnerabilities in the SAP Graphical User Interface (GUI) for Windows and Java, which could allow attackers to access sensitive information if exploited. The vulnerabilities, identified as CVE-2025-0055 and CVE-2025-0056 (CVSS scores: 6.0), were addressed in SAP’s January 2025 monthly update. According to Pathlock researcher Jonathan Stross, the research revealed that the SAP GUI input history is insecurely stored in both Java and Windows versions. This input history feature is designed to help users quickly access previously entered data, storing it locally on devices. However, this can include sensitive information such as usernames, national IDs, social security numbers (SSNs), bank account numbers, and internal SAP table names. The vulnerabilities highlighted by Pathlock stem from these insecure storage methods.

Citrix Bleed 2 Vulnerability Facilitates Token Theft; SAP GUI Flaws Compromise Sensitive Data Security

June 25, 2025

In recent cybersecurity findings, researchers outlined two significant vulnerabilities in the SAP Graphical User Interface (GUI) for both Windows and Java platforms. These security flaws, designated as CVE-2025-0055 and CVE-2025-0056 and each rated with a CVSS score of 6.0, were remediated by SAP during their January 2025 update cycle. If exploited, these vulnerabilities could have exposed sensitive user information under specific conditions.

Investigations led by Pathlock researcher Jonathan Stross revealed that the SAP GUI inadequately protects input history, persisting insecurely across both Java and Windows environments. The history feature allows users to conveniently retrieve previously inputted values, streamlining workflows and minimizing errors. However, this local storage can inadvertently harbor sensitive data such as usernames, national IDs, social security numbers (SSNs), and bank account numbers, as well as internal SAP identifiers.

The primary target of these vulnerabilities encompasses organizations utilizing SAP software, particularly those operating within high-risk sectors where data integrity and privacy are paramount. Given SAP’s widespread adoption, the implications of these flaws cast a wide net, affecting numerous businesses across the landscape.

While the specific geographical footprint of the exploits remains indeterminate, organizations based in the United States and beyond that employ SAP products are at increased risk. The ramifications of these vulnerabilities underscore the importance of note-worthy cybersecurity hygiene and timely updates, as neglecting to patch such flaws can lead to catastrophic breaches.

In analyzing the potential tactics employed by adversaries who might exploit these vulnerabilities, one can correlate with the MITRE ATT&CK framework. Techniques such as initial access and credential dumping could be relevant, wherein attackers first gain entry via insecure inputs and subsequently harvest sensitive credentials from the stored GUI history. Additionally, persistence could be achieved if a threat actor exploits these flaws to maintain access over prolonged periods.

To mitigate the risk associated with these vulnerabilities, it is imperative for organizations to promptly implement the available patches by SAP and to establish rigorous data handling protocols that address security weaknesses. Continuous monitoring and a proactive approach toward vulnerability management will be crucial in safeguarding sensitive information from potential adversical exploitation.

This incident not only serves as a reminder of the ever-evolving landscape of cybersecurity threats but also highlights the necessity for business owners to remain vigilant and proactive in their security strategies. Failure to address such vulnerabilities can lead to significant reputational damage and legal consequences in an increasingly data-driven world.

Source link

Related Posts

XDigo Malware Exploits Windows LNK Vulnerability in Eastern European Government Attacks

On June 23, 2025, cybersecurity researchers unveiled XDigo, a Go-based malware utilized in attacks against Eastern European government entities in March 2025. The cyber espionage campaign, known as XDSpy, has been targeting government agencies in Eastern Europe and the Balkans since 2011, with its origins traced back to early documentation by the Belarusian CERT in 2020. Recent years have seen numerous campaigns aimed at organizations in Russia and Moldova, deploying malware families such as UTask, XDDown, and DSDownloader to retrieve sensitive data from compromised systems. HarfangLab reported that the threat actor exploited a remote code execution vulnerability in Microsoft Windows, triggered by specially crafted LNK files, as part of a multi-stage attack approach.

Citrix Issues Urgent Patches for Actively Exploited Vulnerability CVE-2025-6543 in NetScaler ADC

June 25, 2025
Vulnerability / Network Security

Citrix has launched critical security updates to address a significant vulnerability in NetScaler ADC, which is currently being exploited in the wild. This vulnerability, identified as CVE-2025-6543, has a CVSS score of 9.2 out of 10. It involves a memory overflow issue that could lead to unintended control flow and potential denial-of-service attacks. Successful exploitation requires the appliance to be set up as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. The affected versions include:

  • NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-47.46
  • NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-59.19
  • NetScaler ADC and NetScaler Gateway 12.1 and 13.0 (vulnerable and end-of-life)
  • NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.236-FIPS and NDcPP

Citrix has indicated that vulnerabilities also impact “Secure Private Access on-prem or Secure Private Access Hybrid” deployments utilizing NetScaler instances.

9% of Microsoft Entra SaaS Apps Still Vulnerable to nOAuth Exploits Two Years Post-Discovery

June 25, 2025
SaaS Security / Vulnerability

Recent findings highlight ongoing risks associated with a known security flaw in Microsoft Entra ID, which may allow malicious actors to execute account takeovers in certain software-as-a-service (SaaS) applications. Identity security firm Semperis analyzed 104 SaaS applications and discovered that nine remain vulnerable to Entra ID cross-tenant nOAuth abuse. Initially revealed by Descope in June 2023, nOAuth pertains to a flaw in the implementation of OpenID Connect (OIDC) by SaaS applications, which is an authentication layer built on OAuth for verifying user identities. This implementation flaw allows attackers to alter the mail attribute in an Entra ID account to that of a target, leveraging the app’s “Log in with Microsoft” feature to hijack the account. The attack is straightforward, exacerbated by Entra ID’s allowance for unverified email addresses, paving the way for user impersonation.

CISA Updates KEV Catalog with 3 New Vulnerabilities Affecting AMI MegaRAC, D-Link, and Fortinet

On June 26, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, all of which are subject to active exploitation. These vulnerabilities affect AMI MegaRAC, D-Link DIR-859 routers, and Fortinet FortiOS. The details of the vulnerabilities are as follows:

  • CVE-2024-54085 (CVSS score: 10.0): An authentication bypass vulnerability in the Redfish Host Interface of AMI MegaRAC SPx, which could enable a remote attacker to gain control.
  • CVE-2024-0769 (CVSS score: 5.3): A path traversal vulnerability in D-Link DIR-859 routers that facilitates privilege escalation and unauthorized control (currently unpatched).
  • CVE-2019-6693 (CVSS score: 4.2): A hard-coded cryptographic key issue in FortiOS, FortiManager, and FortiAnalyzer used for encrypting password data in CLI configurations, potentially allowing an attacker with access to the CLI configuration or backup file to decrypt sensitive information.