CISA Known Exploited Vulnerability

This vulnerability is actively exploited in the wild and listed in the CISA Known Exploited Vulnerabilities catalog.

Remediation Deadline: Apr 9, 2025

High

CISA KEV

CVE-2017-12637

SAP—NetWeaver

SAP NetWeaver Application Server (AS) Java contains a directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS that allows a remote attacker to read arbitrary files via a .. (dot dot) in the query string.

Required Action

SAP users must have an account to log in and access the patch: https://me.sap.com/notes/3476549 ; https://nvd.nist.gov/vuln/detail/CVE-2017-12637

Vulnerability Overview

Severity: High
CISA KEV: Yes
Ransomware: Unknown
Published: Mar 19, 2025
KEV Added: Mar 19, 2025
Due Date: Apr 9, 2025
Related Articles: 0

Vendor

SAP

NetWeaver