Skip to content

Safe Tuesday with SNOK: SAP GUI security – as important in 2025 as it was in 2005

In the world of technology, everything changes fast, yet certain fundamental security concerns remain unchanged. This is clearly illustrated by SAP GUI –…

In the world of technology, everything changes fast, yet certain fundamental security concerns remain unchanged. This is clearly illustrated by SAP GUI – the core user interface of SAP systems, which despite its maturity and nearly 30 years on the market still requires a systematic approach to security. The latest security notes from early 2025 confirm that work on SAP GUI security never truly ends.

SAP GUI vulnerabilities in 2025 – the problems persist

An analysis of the latest SAP security notes from the first quarter of 2025 reveals a series of critical vulnerabilities affecting various SAP GUI components:

Cross-Site Scripting (XSS) in SAP GUI for HTML

Two separate security notes (3562390 and 3552824) describe serious XSS-type vulnerabilities in the WebGUI component (SAP GUI for HTML):

  • CVE-2025-25242: a vulnerability arising from a lack of proper output encoding

  • CVE-2025-26659: DOM-based XSS enabling unauthenticated attackers to craft a malicious message exploiting WEBGUI functionality

Both vulnerabilities received a CVSS score of 6.1, classifying them as medium-risk.

Improper storage of credentials in memory

Security note 3562336 describes a vulnerability related to the improper storage of SAP GUI for Windows and RFC service credentials in program memory. This allows an attacker with high privileges on the client machine to access information on the ABAP application server, even without holding an account on the backend system.

DLL hijacking vulnerability in SAPSetup

According to note 3542533, the SAPSetup component contains a DLL injection vulnerability that allows an attacker with local user privileges, or access to a compromised corporate account, to gain elevated privileges. This can lead to further compromise of the company network and Active Directory.

Local data storage issues

Notes 3502459 (GUI for Java), 3503138 (WebGUI) and 3472837 (GUI for Windows) describe vulnerabilities related to the improper storage of user-entered data in local browser memory or input history. These vulnerabilities can lead to the disclosure of sensitive information.

Why regular SAP GUI updates are essential

Vulnerabilities in SAP GUI are continually being discovered and fixed, which shows that even mature products require ongoing security oversight. Several key reasons why regular SAP GUI updates are essential:

  • A changing threat landscape – new attack techniques emerge year on year that may exploit previously unknown vulnerabilities

  • Technology evolution – SAP GUI integrates with new technologies (such as WebView2/Edge replacing Internet Explorer), introducing new attack vectors

  • Increased exposure – more and more organisations connect their SAP systems to external systems (B2B, cloud, etc.), expanding the potential attack surface

How to secure SAP GUI in 2025

Based on the latest SAP security documentation and SNOK’s expert knowledge, we recommend the following steps:

1. Deploy security patches regularly

All detected vulnerabilities have been fixed by SAP in the relevant Support Packages. It is essential to deploy these patches promptly once they are released.

2. Configure the SAP GUI security module

SAP GUI has an extensive security module that protects the workstation against unwanted actions. We recommend:

  • Using “Customized” mode with security rules tailored to the organisation’s needs

  • Configuring Context-Dependent Rules to allow only the operations necessary for specific systems and transactions

  • Creating a central repository of security policies for the whole organisation

3. Secure local data

  • Configure automatic deletion of temporary files and traces in SAP GUI folders

  • Consider encrypting the hard drive on workstations (e.g. BitLocker)

  • Use SAP GUI options to manage the lifetime of local files: enable automatic deletion of files in the Documents folder when SAP Logon closes; disable input history for fields containing sensitive data (~sap-disableinputhistory = 1); shorten the retention time for user-entered data (~data_aging_default)

4. Secure network connections

  • Deploy SNC (Secure Network Communications) for all connections between SAP GUI and application servers

  • Consider using SAP NetWeaver Single Sign-On or SNC Client Encryption

  • Control the ports used by SAP GUI in network firewalls

5. Monitor WebGUI activity

If you use SAP GUI for HTML (WebGUI):

  • Use Chromium-based Edge instead of Internet Explorer

  • Configure the WebguiConnector securely

  • Regularly clear browser data

6. Apply the principle of least privilege

  • Restrict the ability to install browser extensions related to SAP GUI

  • Use appropriate authentication and authorisation mechanisms

  • Control the execution of SAP shortcuts and command-line instructions

The role of SNOK experts

SNOK consultants, as SAP cybersecurity specialists, offer:

  • Regular monitoring of SAP security bulletins

  • Preparation of detailed recommendations for clients, tailored to their specific environment

  • Support in implementing patches and configuring SAP GUI security settings

  • Regular security audits of the SAP environment, including SAP GUI client configuration

Summary

SAP GUI security remains a critically important element of the overall SAP security strategy. Although SAP GUI is a mature product, it still requires the same level of security effort as it did 20 years ago. Regular updates, proper configuration and cooperation with experts such as SNOK help minimise the risk associated with detected vulnerabilities.

Tematy: Safe Tuesday sap-security SAP S/4HANA

Get in touch