Pathlok, too, warned that despite a medium CVSS rating of 6 out of 10, the flaws could lead to compliance issues, citing risks of audit failures under GDPR, PCI DSS, or HIPAA.SAP did not respond to queries on this matter.
The impact could be much greater
Dani noted that a breach through these vulnerabilities can facilitate further targeted attacks. “Not undermining the fact that this extracted data provides attackers with enough gunpowder for reconnaissance activities, a threat actor could comprehend organizational structure, usage patterns, and system configurations from the exploitation of these vulnerabilities and weaponize them for personalization attacks such as spear phishing to effectively compromise a targeted user and carry out further attacks,” Dani said.
The Pathlock research also led to the discovery of a related flaw in SAP NetWeaver AS ABAP, tracked as CVE-2025-0059, affecting SAP GUI for HTML stemming from the same underlying issue. While SAP has yet to patch this variant, Pathlock is concerned that patching might not be a permanent fix to these issues.
According to Stross, fallback mechanisms can potentially undermine the updated versions released by SAP with stronger encryption – SAP GUI for Windows 8.00 Patch Level 9+ and SAP GUI for Java 7.80 PL9+ or 8.10, making them ineffective.