⚠ Actively exploited
Added to CISA KEV on 2025-03-19. Federal agencies required to patch by 2025-04-09. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2017-12637

CWE-22Path Traversal7 documents6 sources
Severity
7.5HIGH
EPSS
93.3%
top 0.19%
CISA KEV
KEV
Added 2025-03-19
Due 2025-04-09
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
SAP Netweaver Application Server Java
Timeline
PublishedAug 7
KEV addedMar 19
KEV dueApr 9
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

🔴Vulnerability Details

3
GHSA
GHSA-5p56-56jf-wfv2: Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 72022-05-13
CVEList
CVE-2017-12637: Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 72017-08-07
VulnCheck
SAP NetWeaver Directory Traversal Vulnerability2017

💥Exploits & PoCs

2
Nuclei
SAP NetWeaver Application Server Java 7.5 - Local File Inclusion
Nuclei
SAP NetWaver Security Checks

📋Vendor Advisories

1
CISA
SAP NetWeaver Directory Traversal Vulnerability2025-03-19
CVE-2017-12637 (HIGH CVSS 7.5) | Directory traversal vulnerability i | cvebase.io