high2026-07-14SAProuterCVE-2026-0487

DLL Hijacking in SAProuter for Windows

SAProuter (Windows)

Our Take

SAProuter is the network entry point to your entire SAP landscape — it typically has firewall rules that allow it to reach every SAP system you run. A compromised SAProuter means an attacker can pivot to every connected system. Windows-only, and requires local access, but the blast radius makes this worth prioritising.

Vulnerability Detail

A DLL hijacking vulnerability in the SAProuter Windows installation allows a local attacker with write access to the SAProuter directory to place a malicious DLL that is loaded on SAProuter startup, resulting in arbitrary code execution with the privileges of the SAProuter process. SAProuter typically runs with elevated permissions and has network access to all SAP systems in the landscape.

Workaround

Restrict write permissions to the SAProuter installation directory to SAProuter service account only. Verify no unauthorised users have write access to SAProuter directories.

Patch Action

Apply SAP Note 3692165. Applies to Windows deployments only — Linux SAProuter installations are not affected.

Affected Versions

SAProuter on Windows — see SAP Note for specific patch levels

Patch Info

CVSS Score

8.4

SAP Note

3692165

CVE

CVE-2026-0487

Published

2026-07-14

← All patches