CVE-2025-42979 is a medium-severity vulnerability affecting SAP GUI for Windows, specifically the GuiXT application integrated within it. The vulnerability arises from the insecure storage of sensitive information, namely the credentials of an RFC (Remote Function Call) user, on the client PC. Instead of employing secure symmetric encryption algorithms to protect these credentials, the application uses obfuscation techniques. Obfuscation is a weaker form of protection that can be reversed by an attacker with sufficient access and knowledge. The credentials are stored within the Windows registry under the user hive, which is accessible to anyone with access to the user's Windows profile. An attacker who gains access to this registry hive can reconstruct the original password, leading to a significant confidentiality breach. The vulnerability does not affect the integrity or availability of the SAP GUI application, as it only concerns the confidentiality of stored credentials. The CVSS v3.1 score is 5.6, reflecting a medium severity due to the requirement for local access (Attack Vector: Local), high attack complexity, and the need for low privileges but no user interaction. The scope is changed, indicating that the compromise of the stored credentials could impact other components or systems beyond the SAP GUI client itself. No known exploits are currently reported in the wild, and no patches have been linked yet. The affected version is BC-FES-GUI 8.00. This vulnerability falls under CWE-922, which covers insecure storage of sensitive information, a common issue that can lead to credential theft and subsequent unauthorized access.

For European organizations using SAP GUI for Windows with the GuiXT application, this vulnerability poses a significant risk to the confidentiality of RFC user credentials. Since SAP systems are widely used in Europe across various sectors including manufacturing, finance, and public administration, the exposure of these credentials could allow attackers to impersonate legitimate users and execute unauthorized remote function calls. This could lead to unauthorized data access, data exfiltration, or manipulation of business-critical processes. Although the vulnerability does not directly impact system integrity or availability, the compromise of credentials can be a stepping stone for further attacks within the enterprise network. The requirement for local access limits the attack vector to insiders or attackers who have already compromised a user's workstation. However, given the high value of SAP credentials, even limited access can have severe consequences. European organizations with less stringent endpoint security or those that allow shared or poorly controlled user workstations are at higher risk. Additionally, regulatory frameworks such as GDPR impose strict requirements on protecting personal and sensitive data, so a breach resulting from this vulnerability could lead to compliance violations and financial penalties.

To mitigate this vulnerability, European organizations should implement the following specific measures: 1) Restrict access to user workstations and enforce strict endpoint security controls, including strong authentication and session locking, to prevent unauthorized local access to the Windows registry. 2) Regularly audit and monitor access to the Windows registry hives where SAP credentials are stored to detect suspicious activities. 3) Employ application whitelisting and endpoint detection and response (EDR) solutions to detect and block unauthorized attempts to access or extract registry data. 4) Where possible, disable or limit the use of the GuiXT application or the storage of RFC credentials on client machines, opting instead for more secure authentication methods such as single sign-on or token-based authentication. 5) Educate users about the risks of credential exposure and the importance of securing their workstations. 6) Monitor SAP GUI client updates and apply patches promptly once SAP releases a fix for this vulnerability. 7) Consider implementing additional encryption or credential vaulting solutions at the endpoint to protect stored credentials beyond the native SAP GUI mechanisms. 8) Review and tighten SAP user permissions to minimize the impact if credentials are compromised.