<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>SAProuter (7.53) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/saprouter-7.53/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 14 Jul 2026 01:20:05 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/saprouter-7.53/feed.xml" rel="self" type="application/rss+xml"/><item><title>Unauthenticated Arbitrary Code Execution in SAProuter via DLL Hijacking (CVE-2026-0487)</title><link>https://feed.craftedsignal.io/briefs/2026-07-saprouter-cve-2026-0487/</link><pubDate>Tue, 14 Jul 2026 01:20:05 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-saprouter-cve-2026-0487/</guid><description>An unauthenticated attacker can exploit CVE-2026-0487, a vulnerability in SAProuter running on Microsoft Windows, by loading malicious DLL files from an untrusted location, allowing them to execute arbitrary code on the affected system with high impact on confidentiality, integrity, and availability.</description><content:encoded><![CDATA[<p>CVE-2026-0487 describes a critical vulnerability in SAProuter on Microsoft Windows, allowing an unauthenticated attacker to achieve arbitrary code execution through DLL hijacking. The flaw enables the router to load library (DLL) files from untrusted locations, which an attacker can exploit to execute malicious code. This vulnerability, stemming from an uncontrolled search path element (CWE-427), has a CVSS v3.1 base score of 8.4, indicating a high impact on the confidentiality, integrity, and availability of the affected system. Multiple versions of SAProuter are impacted, including KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.53, SAP_ROUTER 7.53, 7.54, KERNEL 7.22, 7.77, 7.89, 7.93, 9.16, 9.17, and 9.18. Organizations using vulnerable SAProuter versions on Windows should prioritize patching to mitigate this severe risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: An unauthenticated attacker gains network access to the target system running SAProuter.</li>
<li><strong>Vulnerability Identification</strong>: The attacker identifies an untrusted or non-standard directory within SAProuter's DLL search path that can be written to, either due to inherent design flaws (CWE-427) or another vulnerability.</li>
<li><strong>Malicious DLL Placement</strong>: The attacker places a specially crafted malicious DLL (e.g., <code>ws2_32.dll</code> impersonation, or other known loadable DLLs) into the identified untrusted directory.</li>
<li><strong>Legitimate Operation Trigger</strong>: When the SAProuter process performs an action that requires loading a legitimate system DLL (e.g., during startup or routine operations), its uncontrolled search path prioritizes the untrusted directory.</li>
<li><strong>Malicious DLL Loading</strong>: SAProuter, unaware of the malicious intent, loads and attempts to execute the attacker's DLL instead of the legitimate one.</li>
<li><strong>Arbitrary Code Execution</strong>: The malicious code embedded within the attacker's DLL is executed within the security context of the SAProuter process, allowing the attacker to gain full control over the process and potentially the underlying system.</li>
<li><strong>Impact</strong>: The attacker can then perform various post-exploitation activities, such as establishing persistence, exfiltrating sensitive data, or deploying additional malware.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-0487 allows an unauthenticated attacker to achieve arbitrary code execution on the compromised system. This leads to a severe impact on the confidentiality, integrity, and availability of the system where SAProuter is installed. Attackers can gain full control over the affected SAProuter process, potentially leading to unauthorized access to SAP systems, data manipulation, or denial-of-service conditions. Given the critical role of SAProuter in connecting SAP systems to external networks, a compromise could have widespread implications for an organization's business operations and data security. The specific number of potential victims or targeted sectors is not provided, but any organization using vulnerable SAProuter versions on Microsoft Windows is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-0487</strong>: Immediately apply the security patches provided by SAP SE, referenced by SAP Note 3692165 and the SAP Security Patch Day updates.</li>
<li><strong>Monitor for Suspicious DLL Loading</strong>: Deploy the provided Sigma rule to your SIEM to detect <code>SAProuter.exe</code> loading DLLs from unusual or non-standard paths, which could indicate exploitation attempts of CVE-2026-0487.</li>
<li><strong>Enable Sysmon Event ID 7</strong>: Ensure Sysmon Event ID 7 (ImageLoad) logging is enabled on all Windows systems running SAProuter to capture DLL loading activities required by the detection rule.</li>
<li><strong>Review SAProuter Configurations</strong>: Regularly audit SAProuter configurations to ensure that its DLL search paths do not include user-writable or untrusted locations.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>dll-hijacking</category><category>code-execution</category><category>vulnerability</category><category>cve</category></item></channel></rss>