What happened

CISA added CVE-2017-12637 to the Known Exploited Vulnerabilities (KEV) catalog on 2025-03-19, assigning a remediation due date of 2025-04-09 for affected agencies CISA KEV.

The vulnerability is a directory traversal in SAP NetWeaver Application Server (AS) Java, specifically involving the resource path scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS, which enables reading arbitrary files outside the intended directory NVD CVE-2017-12637.

Exploitation is achieved by injecting ".." (dot-dot) sequences in the HTTP query string sent to that component, allowing a remote attacker to traverse directories and access files on the server MITRE CVE record.

Why it matters

Placement in KEV signals credible evidence of exploitation in the wild and mandates prioritized remediation for U.S. federal agencies, with CISA explicitly directing application of vendor mitigations or discontinuation if unavailable CISA KEV.

A directory traversal that yields arbitrary file read on an application server can expose sensitive data resident on the host (configuration, keys, or logs), compounding downstream risk from data theft and follow-on access NVD CVE-2017-12637.

The weakness aligns to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), indicating insufficient validation or normalization of user-controlled path elements before file access NVD CWE mapping.

Technical detail

The vulnerable endpoint is within SAP NetWeaver AS Java at a JavaScript utility resource identified as UIUtilJavaScriptJS under a hashed directory segment (ffffffffbca41eb4) in scheduler/ui/js, making requests to this path a focal point for detection and validation NVD CVE-2017-12637.

An attacker supplies crafted query-string parameters containing parent-directory references (".."), which the server-side handler fails to properly sanitize or canonicalize, enabling filesystem traversal and arbitrary file read outside the intended directory scope MITRE CVE description.

The vulnerability is reachable remotely over typical web interfaces exposed by AS Java, as the issue is triggered via HTTP requests to the affected resource path, enabling unauthenticated interaction depending on deployment exposure NVD CVE-2017-12637.

The flaw is categorized under CWE-22 (Directory Traversal), which covers scenarios where the application constructs paths from untrusted input and fails to constrain them to a safe base directory, allowing attackers to break out via sequences like "../" NVD CWE mapping.

Because the vulnerable asset is a predictable static path, log-based indicators can be precise: inbound requests to scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS containing traversal tokens in the query string are strongly suspicious for exploitation attempts or recon NVD CVE-2017-12637.

Defense

• Remediate per KEV guidance: apply vendor mitigations, follow applicable BOD 22-01 processes for cloud, or discontinue affected components if mitigation is unavailable, aligned to the stated KEV due date CISA KEV.
• Inventory and exposure review: enumerate SAP NetWeaver AS Java instances and identify any internet-facing endpoints that expose the scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS path, prioritizing those for patching and access restriction NVD CVE-2017-12637.
• Monitoring and detection: alert on HTTP requests where the target path matches the known vulnerable resource and the query string contains directory traversal tokens indicative of CWE-22 patterns (e.g., dot-dot segments) NVD CWE mapping.
• Compromise assessment: review web server and application logs for historical access to the affected path coupled with traversal indicators and unusual file access responses consistent with arbitrary file retrieval MITRE CVE record.
• Compensating controls: where immediate patching is blocked, restrict network access to AS Java administrative and utility paths and consider middleware controls to block traversal sequences in query parameters reaching this endpoint CISA KEV.

Federal agencies are required to meet the KEV remediation timeline; enterprises outside the federal scope should treat KEV-listed issues as active-exploitation priorities with accelerated SLAs CISA KEV.

Lyrie Verdict

CVE-2017-12637 is a deterministic, path-specific directory traversal in SAP NetWeaver AS Java, now confirmed in the KEV for active exploitation pressure CISA KEV.

Lyrie treats this as a machine-speed signature problem: continuously correlate HTTP telemetry for calls to scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS with traversal tokens and auto-escalate any positive hits, minimizing human-in-the-loop latency NVD CVE-2017-12637.

Our autonomous detectors ship preloaded with KEV-linked indicators and CWE-22 heuristics to flag path traversal patterns in real time and trigger protective actions before adversaries can harvest sensitive files NVD CWE mapping.