Cyber Resilience

CVE-2017-12637

HighCISA KEVActive ExploitationEUVD Exploited

Published: 07 August 2017

Published
07 August 2017
Modified
22 April 2026
KEV Added
19 March 2025
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9344 99.8th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-12637 is a high-severity Path Traversal (CWE-22) vulnerability in Sap Netweaver Application Server Java. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability is a directory traversal flaw, identified as CVE-2017-12637 and assigned CWE-22, that affects the scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS component in SAP NetWeaver Application Server Java 7.5. It carries a CVSS 3.1 score of 7.5 reflecting network-accessible unauthenticated read access with high confidentiality impact.

Remote attackers can exploit the issue by supplying a .. sequence in the query string to retrieve arbitrary files from the server. The flaw was actively exploited in the wild during August 2017.

The issue is tracked under SAP Security Note 2486657 and appears in the CISA Known Exploited Vulnerabilities Catalog.

EU & UK References

Vulnerability details

Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note…

more

2486657.

CWE(s)
KEV Date Added
19 March 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sap
netweaver application server java
7.50

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of all inputs (including query-string parameters) to reject path traversal sequences such as .. before they reach the vulnerable SAP UIUtilJavaScriptJS endpoint.

prevent

Enforces access-control policy on every file-system read, blocking the unauthenticated retrieval of arbitrary files that the traversal flaw would otherwise permit.

prevent

Implements information-flow rules that restrict which resources a remote, unauthenticated request may access, limiting the scope of any successful traversal.

References