{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/saprouter-7.53/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2026-0487"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SAProuter (KRNL64NUC 7.22)","SAProuter (7.22EXT)","SAProuter (KRNL64UC 7.22)","SAProuter (7.53)","SAProuter (SAP_ROUTER 7.53)","SAProuter (7.54)","SAProuter (KERNEL 7.22)","SAProuter (7.77)","SAProuter (7.89)","SAProuter (7.93)","SAProuter (9.16)","SAProuter (9.17)","SAProuter (9.18)"],"_cs_severities":["high"],"_cs_tags":["dll-hijacking","code-execution","vulnerability","cve"],"_cs_type":"advisory","_cs_vendors":["SAP SE"],"content_html":"\u003cp\u003eCVE-2026-0487 describes a critical vulnerability in SAProuter on Microsoft Windows, allowing an unauthenticated attacker to achieve arbitrary code execution through DLL hijacking. The flaw enables the router to load library (DLL) files from untrusted locations, which an attacker can exploit to execute malicious code. This vulnerability, stemming from an uncontrolled search path element (CWE-427), has a CVSS v3.1 base score of 8.4, indicating a high impact on the confidentiality, integrity, and availability of the affected system. Multiple versions of SAProuter are impacted, including KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.53, SAP_ROUTER 7.53, 7.54, KERNEL 7.22, 7.77, 7.89, 7.93, 9.16, 9.17, and 9.18. Organizations using vulnerable SAProuter versions on Windows should prioritize patching to mitigate this severe risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An unauthenticated attacker gains network access to the target system running SAProuter.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Identification\u003c/strong\u003e: The attacker identifies an untrusted or non-standard directory within SAProuter's DLL search path that can be written to, either due to inherent design flaws (CWE-427) or another vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious DLL Placement\u003c/strong\u003e: The attacker places a specially crafted malicious DLL (e.g., \u003ccode\u003ews2_32.dll\u003c/code\u003e impersonation, or other known loadable DLLs) into the identified untrusted directory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLegitimate Operation Trigger\u003c/strong\u003e: When the SAProuter process performs an action that requires loading a legitimate system DLL (e.g., during startup or routine operations), its uncontrolled search path prioritizes the untrusted directory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious DLL Loading\u003c/strong\u003e: SAProuter, unaware of the malicious intent, loads and attempts to execute the attacker's DLL instead of the legitimate one.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Code Execution\u003c/strong\u003e: The malicious code embedded within the attacker's DLL is executed within the security context of the SAProuter process, allowing the attacker to gain full control over the process and potentially the underlying system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The attacker can then perform various post-exploitation activities, such as establishing persistence, exfiltrating sensitive data, or deploying additional malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0487 allows an unauthenticated attacker to achieve arbitrary code execution on the compromised system. This leads to a severe impact on the confidentiality, integrity, and availability of the system where SAProuter is installed. Attackers can gain full control over the affected SAProuter process, potentially leading to unauthorized access to SAP systems, data manipulation, or denial-of-service conditions. Given the critical role of SAProuter in connecting SAP systems to external networks, a compromise could have widespread implications for an organization's business operations and data security. The specific number of potential victims or targeted sectors is not provided, but any organization using vulnerable SAProuter versions on Microsoft Windows is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-0487\u003c/strong\u003e: Immediately apply the security patches provided by SAP SE, referenced by SAP Note 3692165 and the SAP Security Patch Day updates.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor for Suspicious DLL Loading\u003c/strong\u003e: Deploy the provided Sigma rule to your SIEM to detect \u003ccode\u003eSAProuter.exe\u003c/code\u003e loading DLLs from unusual or non-standard paths, which could indicate exploitation attempts of CVE-2026-0487.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable Sysmon Event ID 7\u003c/strong\u003e: Ensure Sysmon Event ID 7 (ImageLoad) logging is enabled on all Windows systems running SAProuter to capture DLL loading activities required by the detection rule.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview SAProuter Configurations\u003c/strong\u003e: Regularly audit SAProuter configurations to ensure that its DLL search paths do not include user-writable or untrusted locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T01:20:05Z","date_published":"2026-07-14T01:20:05Z","id":"https://feed.craftedsignal.io/briefs/2026-07-saprouter-cve-2026-0487/","summary":"An unauthenticated attacker can exploit CVE-2026-0487, a vulnerability in SAProuter running on Microsoft Windows, by loading malicious DLL files from an untrusted location, allowing them to execute arbitrary code on the affected system with high impact on confidentiality, integrity, and availability.","title":"Unauthenticated Arbitrary Code Execution in SAProuter via DLL Hijacking (CVE-2026-0487)","url":"https://feed.craftedsignal.io/briefs/2026-07-saprouter-cve-2026-0487/"}],"language":"en","title":"CraftedSignal Threat Feed - SAProuter (7.53)","version":"https://jsonfeed.org/version/1.1"}