SAP GUI input history found vulnerable to weak encryption

“A single known value is enough to recover that key and decrypt the rest of the database, exposing IDs, account numbers or other business data,” Soroko added. For the Java version, the situation is worse. History data is saved as serialized objects with no encryption whatsoever. “Anyone who gains local or remote file-system access [...] can harvest the history files to accelerate lateral movement, craft convincing spear‑phishing or amass data that triggers GDPR, PCI DSS or HIPAA violations,” Soroko explained.