CVE-2017-12637

HIGH KEV NUCLEI

SAP NetWeaver Application Server Java 7.5 - Local File Inclusion

Title source: nuclei

Description

Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657.

Exploits (1)

nomisec WORKING POC

by abrewer251 · infoleak

https://github.com/abrewer251/CVE-2017-12637_SAP-NetWeaver-URL-Traversal

View Code ZIP pw:eip

Nuclei Templates (1)

SAP NetWeaver Application Server Java 7.5 - Local File Inclusion

HIGHby apt-mirror

Shodan: http.favicon.hash:-266008933

FOFA: icon_hash=-266008933

References (2)

[Third Party Advisory] https://web.archive.org/web/20170807202056/http://www.sh0w.top/index.php/archives/7/

[Third Party Advisory, US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12637

Scores

CVSS v3 7.5

EPSS 0.9339

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CISA KEV 2025-03-19

VulnCheck KEV 2017-08-07

InTheWild.io 2021-04-20

ENISA EUVD EUVD-2017-4176

CWE

CWE-22

Status published

Products (1)

sap/netweaver_application_server_java 7.50

Published Aug 07, 2017

KEV Added Mar 19, 2025

Tracked Since Feb 18, 2026