Skip to main content

SAProuter CVE-2026-0487

| EUVDEUVD-2026-43583 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-07-14 sap GHSA-3g84-hpr9-w7v5
8.4
CVSS 3.1 · Vendor: sap
Share

Severity by source

Vendor (sap) PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

DLL hijacking needs local write access to a searched directory, so AV:L and realistically PR:L; loaded code runs in the service context giving full C:H/I:H/A:H with no scope change.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (sap).

CVSS VectorVendor: sap

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 01:15 vuln.today
CVE Published
Jul 14, 2026 - 00:17 cve.org
HIGH 8.4

DescriptionCVE.org

SAProuter on Microsoft Windows allows an unauthenticated attacker to load library (DLL) files from an untrusted location, allowing them to execute malicious code on the system. This could enable the attacker to hijack the DLL loading process and achieve arbitrary code execution. This has high impact on confidentiality, integrity and availability of the system.

AnalysisAI

Arbitrary code execution in SAProuter on Microsoft Windows lets a local attacker plant a malicious DLL in an untrusted search-path location that SAProuter loads at runtime, hijacking the DLL loading process to run attacker code with the privileges of the SAProuter service. The flaw was reported by SAP and carries a CVSS 8.4 with full High impact on confidentiality, integrity, and availability; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local access to SAProuter host
Delivery
Plant malicious DLL in searched path
Exploit
SAProuter loads DLL by name
Execution
Execute arbitrary code in service context
Impact
Full compromise of host confidentiality/integrity/availability

Vulnerability AssessmentAI

Exploitation Exploitation requires local ability to place a malicious DLL in a location that the Windows SAProuter process searches when resolving a library by name (CWE-427), and that SAProuter subsequently load that library (typically at process start or restart). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mixed and should be read together rather than off the headline score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who already has a foothold on the SAProuter host - or who can write to a directory in SAProuter's DLL search path - drops a malicious DLL using the name of a library SAProuter loads. When the SAProuter process starts or reloads and resolves that library by name, it loads the attacker's DLL instead of the legitimate one, executing arbitrary code in the process context; no public exploit code has been identified, and the AV:L/AC:L profile means the technique is straightforward once local write access is obtained.
Remediation Apply the fix delivered via SAP Security Note 3692165 (https://me.sap.com/notes/3692165), released through SAP Security Patch Day (https://url.sap/sapsecuritypatchday) - this is a patch available per vendor advisory; the exact fixed version is not stated in the available data, so confirm the target build directly in the SAP note. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Windows systems running SAProuter and document their network role and current version. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-0487 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy