DLL Hijacking in SAProuter for Windows
SAProuter (Windows)
SAProuter is the network entry point to your entire SAP landscape — it typically has firewall rules that allow it to reach every SAP system you run. A compromised SAProuter means an attacker can pivot to every connected system. Windows-only, and requires local access, but the blast radius makes this worth prioritising.
Vulnerability Detail
A DLL hijacking vulnerability in the SAProuter Windows installation allows a local attacker with write access to the SAProuter directory to place a malicious DLL that is loaded on SAProuter startup, resulting in arbitrary code execution with the privileges of the SAProuter process. SAProuter typically runs with elevated permissions and has network access to all SAP systems in the landscape.
Workaround
Restrict write permissions to the SAProuter installation directory to SAProuter service account only. Verify no unauthorised users have write access to SAProuter directories.
Patch Action
Apply SAP Note 3692165. Applies to Windows deployments only — Linux SAProuter installations are not affected.
Affected Versions
Patch Info