CVE-2025-24870 MEDIUM

CVE-2025-24870: Insecure Key & Secret Management vulnerability in SAP GUI for Windows

Vendor Sap_Se
Product SAP GUI for Windows
Weakness CWE-921
Published February 11, 2025
Last update February 18, 2025

CVSS base score

6.0/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

SAP GUI for Windows & RFC service credentials are incorrectly stored in the memory of the program allowing an unauthenticated attacker to access information within systems, resulting in privilege escalation. On successful exploitation, this could result in disclosure of highly sensitive information. This has no impact on integrity, and availability.

Key dates

02Disclosure timeline

February 11, 2025 CVE published
February 18, 2025 Record updated