CVE-2025-43005 is a medium-severity vulnerability affecting SAP GUI for Windows, specifically version BC-FES-GUI 8.00. The issue arises from the insecure obfuscation algorithms used by the GuiXT application component within SAP GUI to store user credentials. This vulnerability is classified under CWE-256, which refers to the plaintext storage of passwords or insufficient protection of stored credentials. An unauthenticated attacker with local access to the affected system can exploit this weakness to retrieve user credentials stored in an insecure manner. The vulnerability does not impact the integrity or availability of the SAP GUI application but poses a confidentiality risk by potentially exposing sensitive user credentials. The CVSS 3.1 base score is 4.3, reflecting a low to medium impact primarily on confidentiality, with an attack vector of local access (AV:L), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. No known exploits are reported in the wild, and no patches have been published at the time of this analysis. The vulnerability was reserved in April 2025 and published in May 2025.

For European organizations using SAP GUI for Windows version BC-FES-GUI 8.00, this vulnerability could lead to unauthorized disclosure of user credentials if an attacker gains local access to the system. While the impact on integrity and availability is negligible, the confidentiality breach could facilitate further attacks such as unauthorized access to SAP systems or lateral movement within the network. Given SAP's widespread use in enterprise resource planning (ERP) across Europe, especially in sectors like manufacturing, finance, and public administration, compromised credentials could lead to data leakage or unauthorized transactions. However, the requirement for local access limits the attack surface primarily to insider threats or attackers who have already breached perimeter defenses. The lack of known exploits reduces immediate risk but does not eliminate the potential for future exploitation. Organizations with strict compliance requirements around credential management and data protection (e.g., GDPR) should consider this vulnerability a concern.

1. Restrict local access to systems running SAP GUI for Windows to trusted personnel only, enforcing strict physical and logical access controls. 2. Implement endpoint security solutions that monitor and restrict unauthorized access to credential storage locations used by GuiXT. 3. Regularly audit and monitor logs for suspicious local access or attempts to extract stored credentials. 4. Educate users about the risks of storing credentials and encourage the use of secure authentication methods such as single sign-on (SSO) or multi-factor authentication (MFA) where possible. 5. Apply any forthcoming patches or updates from SAP promptly once available. 6. Consider deploying application whitelisting and restricting execution of unauthorized scripts or tools that could exploit this vulnerability. 7. Use encryption or secure vault solutions for credential storage if customization of SAP GUI or GuiXT is possible. 8. Conduct periodic security assessments and penetration tests focusing on local privilege escalation and credential extraction vectors.