CVE-2026-0487

SAP · SAProuter

A DLL hijacking vulnerability in SAProuter on Windows allows unauthenticated local attackers to execute arbitrary code by loading malicious libraries from untrusted paths.

Executive summary

A high-severity DLL hijacking vulnerability in SAProuter on Windows allows unauthenticated local attackers to gain unauthorized code execution.

Vulnerability

The software contains an Uncontrolled Search Path Element (CWE-427) vulnerability. An unauthenticated attacker can place malicious DLL files in a location where the application searches for them, resulting in code execution under the context of the SAProuter process.

Business impact

The vulnerability has a CVSS score of 8.4, indicating a high risk to system security. If exploited, an attacker could escalate privileges or gain persistent access to the server, threatening the confidentiality, integrity, and availability of sensitive SAP environment data.

Remediation

Immediate Action: Apply the relevant security patches provided by SAP (refer to SAP Note 3692165). Ensure that all affected kernel and router versions are updated to the secure releases specified by the vendor.

Proactive Monitoring: Review system logs for unauthorized file modifications or unexpected DLL loading events in the application's working directory.

Compensating Controls: Ensure that the file system permissions for the SAP installation directory are strictly restricted, preventing unprivileged users from writing or modifying files within the application path.

Exploitation status

Public Exploit Available: No (exploit_available: false)

Analyst recommendation

Security teams should prioritize the application of the vendor-provided security updates. Given the nature of DLL hijacking, ensure that all system-level security best practices—such as Principle of Least Privilege—are enforced to limit the impact of such vulnerabilities.