CVE-2017-12637

What Is SAP NetWeaver AS Java?

SAP NetWeaver Application Server Java (AS Java) is the Java-based application server platform underlying SAP enterprise software — including SAP Enterprise Portal, SAP Process Integration, and the SAP Java Scheduler. SAP NetWeaver deployments are high-value targets because they integrate with core SAP ERP, HR, and financial systems and often hold sensitive corporate data including employee records, financial transactions, and business process configurations. Unauthenticated file read vulnerabilities on SAP NetWeaver give attackers access to configuration files containing database credentials, LDAP passwords, and internal network information.

Overview

CVE-2017-12637 is a directory traversal vulnerability in SAP NetWeaver AS Java that allows an unauthenticated remote attacker to read arbitrary files from the server. The vulnerability exists in the Scheduler UI component — specifically in the endpoint /scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS — which fails to sanitize .. sequences in the query string, enabling path traversal outside the intended directory. Patched in 2017, this vulnerability was added to the CISA KEV catalog in March 2025 following confirmed exploitation by threat actors targeting internet-facing SAP systems. SAP Security Note 3476549 addresses this vulnerability (login required).

Affected Versions

SAP NetWeaver AS Java versions with the Scheduler UI component deployed — specific versions identified in SAP Security Note 3476549 (SAP login required to view). Organizations running SAP NetWeaver versions from 2017 or earlier without the patch are affected.

Technical Details

Root Cause: Path Traversal in Scheduler UI JavaScript Endpoint

CVE-2017-12637 is a path traversal vulnerability (CWE-22) in the SAP NetWeaver AS Java Scheduler UI. The vulnerable endpoint /scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS is designed to serve JavaScript files for the Scheduler UI. However, the endpoint fails to validate the query string for directory traversal sequences (../), allowing a request like:

GET /scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS?..%2F..%2F..%2Fpath%2Fto%2Ffile

to read files outside the intended JavaScript directory. Because the endpoint is accessible without authentication, any internet-reachable SAP NetWeaver instance is vulnerable.

Files exposed by traversal include:

• SAP configuration files containing database connection strings and credentials
• LDAP/Active Directory integration credentials
• Internal service account credentials
• SSL private keys and certificates
• Log files containing user activity and internal paths

Attack Characteristics

Discovery

Discovered and reported to SAP through coordinated disclosure in 2017; patched via SAP Security Note. The long gap between patch (2017) and KEV addition (2025) reflects continued exploitation of unpatched SAP deployments.

Exploitation Context

• SAP targeting by threat actors: SAP systems are high-priority targets for financially-motivated and nation-state attackers due to the sensitive business data they contain; multiple groups specialize in SAP exploitation (ERP security specialists); CVE-2017-12637's unauthenticated nature makes it a reliable first-step reconnaissance tool
• Credential harvesting: The primary value of an arbitrary file read on SAP NetWeaver is reading configuration files that contain plaintext or encrypted credentials; attackers use harvested credentials for SAP authentication to access business data or for lateral movement to connected systems
• Long exploitation tail: The 8-year gap between the 2017 patch and the 2025 KEV addition demonstrates that SAP patching is notoriously delayed in production environments — SAP updates require testing with complex custom ABAP/Java codebases, leading organizations to defer patches for years
• CISA KEV (2025): Added March 19, 2025 reflecting active exploitation of unpatched SAP NetWeaver deployments by threat actors

Remediation

1. Apply SAP Security Note 3476549 — log in to SAP Support Portal (me.sap.com) and apply the security correction note for CVE-2017-12637. SAP patches require a valid maintenance contract.

2. Restrict internet access to SAP NetWeaver — SAP NetWeaver AS Java should never be directly internet-accessible; place it behind a WAF or SAP Web Dispatcher that restricts access to known endpoints and blocks path traversal patterns.

3. Audit SAP internet exposure — use Shodan or similar tools to identify if your SAP systems are internet-reachable; any internet-facing SAP system is at immediate risk from CVE-2017-12637 exploitation.

4. Monitor SAP access logs — review SAP logs for unusual GET requests to /scheduler/ui/ with ../ sequences in the query string; these indicate exploitation attempts.

5. Rotate SAP system credentials — if CVE-2017-12637 may have been exploited against an exposed SAP system, rotate all SAP service account credentials, database passwords, and LDAP integration credentials immediately.