🔴 CVE-2017-12637

Directory traversal vulnerability in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via path traversal in a JavaScript UI endpoint. This vulnerability has been actively exploited in the wild and is included in CISA's Known Exploited Vulnerabilities catalog.

← Back to Overview
HIGH_RISK
Risk Level
7.5
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2017-08-07

Added to CISA KEV: 2025-03-19 2781 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2017-12637 is a directory traversal vulnerability affecting SAP NetWeaver Application Server (AS) Java, which has been a subject of significant security concern due to its inclusion in the CISA Known Exploited Vulnerabilities (KEV) Catalog [1].

Overview and Impact
  • Vulnerability Type: Directory Traversal [1].
  • Impact: Successful exploitation allows unauthenticated remote attackers to read arbitrary files from the affected server [1]. While the vulnerability itself is a file-read issue, researchers have noted that when exploited, it can potentially enable threat actors to gain full control of unprotected SAP systems [2].
Exploitation Details
  • Method: The attack is performed over HTTP/HTTPS by sending a specially crafted request containing `..` (dot-dot) sequences in the query string to the vulnerable component (`scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS`) [1] [3].
  • Requirements:
* Network vs. Local: It is a remote, network-based attack [1]. * User Interaction: No user interaction is required for successful exploitation. * Accessibility: Because SAP NetWeaver Java often serves as the base platform for internet-facing applications (such as SAP Portal), these systems are frequently exposed to the public internet, increasing the attack surface [3].
Active Exploitation and Threat Landscape
  • Wild Exploitation: The vulnerability was exploited in the wild as early as August 2017 [1].
  • Recent Activity: CISA issued warnings regarding active exploitation of this vulnerability as recently as March 2025 [3]. Threat intelligence networks have continued to observe the vulnerability present in various environments, indicating that it remains a target for malicious actors [2].
  • Targeted Attacks: While specific details on ransomware campaigns are not always publicly attributed to this single CVE, the ability to read arbitrary files often serves as a critical initial step for attackers to gather sensitive configuration data, credentials, or system information to facilitate further, more targeted attacks against an organization's mission-critical infrastructure [2].
Affected Products and Mitigation
  • Affected Version: SAP NetWeaver Application Server Java 7.5 is explicitly identified as affected [1] [4].
  • Patch Status: SAP released a patch for this vulnerability in 2017, documented under SAP Security Note 2486657 [1] [3].
  • Mitigation: Organizations are strongly advised to verify their systems against this vulnerability and ensure that the relevant SAP security notes have been applied. Given its presence in the CISA KEV catalog, immediate remediation is required for any systems found to be running unpatched versions [1].

Sources

  1. NVD - CVE-2017-12637

    This CVE is in CISA's Known Exploited Vulnerabilities Catalog Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance and requirements. ... CVE-2017-12637 Detail · Description · Metrics · References to Advisories, Solutions, and Tools · This CVE is in CISA's Known…

  2. Onapsis Research Labs Briefing on SAP CVE-2017-12637 - Onapsis

    Explore SAP CVE-2017-12637 and its impact.When exploited, this vulnerability affecting SAP Netweaver AS Java application servers can enable unauthenticated threat actors to take full control of unprotected SAP systems. While this is a known security vulnerability that was promptly patched by SAP in…

  3. Active Exploitation of SAP Vulnerability CVE-2017-12637 - Onapsis

    CISA warns about the active exploitation of CVE-2017-12637 in SAP NetWeaver AS Java. Protect your SAP systems from this vulnerability. ... The exploitation of CVE-2017-12637 is performed over HTTP (s), and its test is straightforward; an attacker can execute a GET method to the affected URL with a t…

  4. CVE-2017-12637 | High Vulnerability in SAP NetWeaver Application ...

    CVE-2017-12637 is a directory traversal vulnerability affecting SAP NetWeaver Application Server Java version 7.5. This vulnerability allows ...

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed