[ERPSCAN-14-014] SAP Router – Integer Overflow vulnerability

Application: SAP Network Interface Router (SAProuter)
Versions Affected: SAP 40.4 – Win64/Linux x86_64
Vendor URL: http://www.sap.com
Vulnerability: XXE
Reported: 16.06.2014
Vendor response: 17.06.2014
Date of Public Advisory: 17.10.2014
Reference: SAP Security Note 2037492
Authors: Roman Bazhin (ERPScan)

A remote attacker can conduct a denial of service attack against SAP router, or affect its security, without authorization.

Business Risk
An attacker can use a denial of service vulnerability in SAP Router for terminating the process of the vulnerable component. As a result, nobody can use this service, which has a negative influence on business processes. System downtime also harms business reputation.


To prevent this issue as well as a plethora of other vulnerabilities that may affect your SAP Router security and other SAP systems, ERPScan provides the following services: