Citrix, SAP GUI, and Token Theft: A Deep Dive into Recent Vulnerabilities

Explore critical vulnerabilities in Citrix NetScaler and SAP GUI, highlighting the risks of token theft and data exposure, and offering essential mitigation strategies.

The cybersecurity landscape is ever-evolving, and recent disclosures concerning Citrix and SAP GUI highlight the persistent threats organizations face. With vulnerabilities leading to potential token theft and sensitive data exposure, understanding these issues is crucial. Let's delve into the specifics.

Citrix Bleed 2: A New Wave of Token Theft

A critical-rated security flaw, CVE-2025-5777, in NetScaler ADC and Gateway products (formerly Citrix ADC and Gateway) has emerged, threatening unauthorized access via token theft. Dubbed 'Citrix Bleed 2' due to its similarities to the infamous CVE-2023-4966, this vulnerability stems from insufficient input validation. Attackers can exploit this flaw to grab valid session tokens from memory through malformed requests, effectively bypassing authentication. This is particularly concerning when NetScaler is configured as a Gateway or AAA virtual server.

The urgency is amplified by the fact that while there's no confirmed weaponization yet, experts believe it possesses all the hallmarks of a high-interest target for malicious actors. The initial limitations associated with the vulnerability have also been removed, suggesting a potentially broader impact than initially anticipated.

Versions at Risk and Mitigation

Several NetScaler ADC and Gateway versions are affected, including 14.1 before 14.1-43.56, 13.1 before 13.1-58.32, and various FIPS-compliant versions. Alarmingly, versions 12.1 and 13.0, now End of Life (EOL), remain vulnerable without available patches. Organizations using Secure Private Access on-premises or hybrid deployments with NetScaler instances are urged to upgrade immediately. Post-upgrade, terminating all active ICA and PCoIP sessions is crucial.

SAP GUI's Input History: A Data Exposure Nightmare

On another front, vulnerabilities CVE-2025-0055 and CVE-2025-0056 in SAP GUI for Windows and Java expose sensitive information through insecure storage of input history. The SAP GUI input history feature, designed for user convenience, stores previously entered values locally. However, the research discovered that this history is stored insecurely, both in the Java and Windows versions. This can include usernames, national IDs, social security numbers (SSNs), bank account numbers, and internal SAP table names.

The Windows version employs a weak XOR-based encryption scheme easily decoded, while the Java version stores entries unencrypted. An attacker with administrative privileges or access to the victim's user directory can access this data, potentially leading to severe confidentiality breaches. Exfiltration through HID injection attacks or phishing becomes a real threat.

Securing Your SAP GUI

To mitigate these risks, disabling the input history functionality and deleting existing database or serialized object files from the designated directories is strongly recommended.

Putting It All Together: A Call to Action

These vulnerabilities in Citrix and SAP GUI underscore the need for proactive security measures. Regularly updating systems, promptly applying patches, and implementing recommended mitigations are essential steps in safeguarding against potential exploits.

It's a jungle out there in cybersecurity, isn't it? But with vigilance and a proactive approach, you can keep those digital predators at bay. Stay safe, stay updated, and keep those patches rolling!