Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
DLL hijacking needs local write access to a searched directory, so AV:L and realistically PR:L; loaded code runs in the service context giving full C:H/I:H/A:H with no scope change.
Primary rating from Vendor (sap).
CVSS VectorVendor: sap
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
SAProuter on Microsoft Windows allows an unauthenticated attacker to load library (DLL) files from an untrusted location, allowing them to execute malicious code on the system. This could enable the attacker to hijack the DLL loading process and achieve arbitrary code execution. This has high impact on confidentiality, integrity and availability of the system.
AnalysisAI
Arbitrary code execution in SAProuter on Microsoft Windows lets a local attacker plant a malicious DLL in an untrusted search-path location that SAProuter loads at runtime, hijacking the DLL loading process to run attacker code with the privileges of the SAProuter service. The flaw was reported by SAP and carries a CVSS 8.4 with full High impact on confidentiality, integrity, and availability; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local ability to place a malicious DLL in a location that the Windows SAProuter process searches when resolving a library by name (CWE-427), and that SAProuter subsequently load that library (typically at process start or restart). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are mixed and should be read together rather than off the headline score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who already has a foothold on the SAProuter host - or who can write to a directory in SAProuter's DLL search path - drops a malicious DLL using the name of a library SAProuter loads. When the SAProuter process starts or reloads and resolves that library by name, it loads the attacker's DLL instead of the legitimate one, executing arbitrary code in the process context; no public exploit code has been identified, and the AV:L/AC:L profile means the technique is straightforward once local write access is obtained. |
| Remediation | Apply the fix delivered via SAP Security Note 3692165 (https://me.sap.com/notes/3692165), released through SAP Security Patch Day (https://url.sap/sapsecuritypatchday) - this is a patch available per vendor advisory; the exact fixed version is not stated in the available data, so confirm the target build directly in the SAP note. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all Windows systems running SAProuter and document their network role and current version. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-427 – Uncontrolled Search Path Element
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43583
GHSA-3g84-hpr9-w7v5