CVE-2025-42979
📋 TL;DR
CVE-2025-42979 is a vulnerability in GuiXT application integrated with SAP GUI for Windows where RFC user credentials are stored using weak obfuscation instead of proper encryption. This allows attackers with access to the Windows registry to recover passwords. Affects SAP users who use GuiXT with RFC connections on Windows systems.
💻 Affected Systems
- SAP GUI for Windows with GuiXT integration
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers with local access or malware could extract SAP RFC credentials from registry, leading to unauthorized access to SAP systems and potential data exfiltration.
Likely Case
Malware or malicious users on compromised Windows workstations could harvest SAP credentials from registry for lateral movement within SAP environments.
If Mitigated
With proper endpoint security and registry protection, risk is limited to users who already have administrative access to compromised systems.
🎯 Exploit Status
Exploitation requires local access to Windows registry, making it accessible to malware and local attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: See SAP Note 3607513 for specific patched versions
Vendor Advisory: https://me.sap.com/notes/3607513
Restart Required: Yes
Instructions:
1. Review SAP Note 3607513. 2. Apply SAP Security Patch Day updates. 3. Update SAP GUI and GuiXT components. 4. Restart affected systems.
🔧 Temporary Workarounds
Disable local credential storage
windowsConfigure GuiXT to not store RFC credentials locally in registry
Configure GuiXT settings to use alternative authentication methods
Registry access restrictions
windowsApply ACL restrictions to registry keys containing GuiXT credentials
regedit to locate HKEY_CURRENT_USER\Software\SAP\GuiXT keys and restrict permissions
🧯 If You Can't Patch
- Implement strict endpoint security controls to prevent unauthorized registry access
- Use network segmentation to limit access to SAP systems from potentially compromised workstations
🔍 How to Verify
Check if Vulnerable:
Check if GuiXT is installed and configured to store RFC credentials, and review registry for obfuscated credential storageCheck Version:
Check SAP GUI version via About dialog or command lineVerify Fix Applied:
Verify that SAP GUI and GuiXT components have been updated to versions specified in SAP Note 3607513📡 Detection & Monitoring
Log Indicators:
- Unusual registry access patterns to SAP\GuiXT keys
- Multiple failed authentication attempts from new locations
Network Indicators:
- SAP RFC connections from unexpected workstations or IP addresses
SIEM Query:
Windows Event ID 4656 or 4663 showing access to registry keys containing 'SAP\GuiXT'