Pathlok, too, warned that regardless of a medium CVSS ranking of 6 out of 10, the failings may result in compliance points, citing dangers of audit failures underneath GDPR, PCI DSS, or HIPAA. SAP didn’t reply to queries on this matter.
The impression might be a lot better
Dani famous {that a} breach by these vulnerabilities can facilitate additional focused assaults. “Not undermining the truth that this extracted information gives attackers with sufficient gunpowder for reconnaissance actions, a menace actor may comprehend organizational construction, utilization patterns, and system configurations from the exploitation of those vulnerabilities and weaponize them for personalization assaults reminiscent of spear phishing to successfully compromise a focused consumer and perform additional assaults,” Dani mentioned.
The Pathlock analysis additionally led to the invention of a associated flaw in SAP NetWeaver AS ABAP, tracked as CVE-2025-0059, affecting SAP GUI for HTML stemming from the identical underlying concern. Whereas SAP has but to patch this variant, Pathlock is anxious that patching won’t be a everlasting repair to those points.
In response to Stross, fallback mechanisms can probably undermine the up to date variations launched by SAP with stronger encryption – SAP GUI for Home windows 8.00 Patch Degree 9+ and SAP GUI for Java 7.80 PL9+ or 8.10, making them ineffective.
