Active exploitation of critical SAP flaw CVE-2017-12637 reported by Onapsis
Take action: If you are running SAP, check your infrastructure for versions of SAP NetWeaver. Then plan a quick update all SAP NetWeaver AS Java systems immediately by following SAP Notes 2486657, 2278834, and 3476549. Check if the vulnerable component is still active even after patching.
Learn More
Researchers from Onapsis have discovered active exploitation of a vulnerability from 2017 is targeting SAP systems.
Despite being patched in 2017, this vulnerability continues to put organizations at risk, prompting an urgent warning from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on March 19, 2025.
The vulnerability is tracked as CVE-2017-12637 (CVSS score 7.7) - Directory Traversal impacting SAP Netweaver AS Java Application Server. Though classified with a CVSS score of 7.7, the real-world impact is significantly more severe. The vulnerability allows unauthenticated attackers to extract arbitrary system files that the SAP system user has access to, obtain critical SAP configuration files, access credentials stored in the SAP Secure Store and achieve full system compromise of vulnerable SAP installations.
Onapsis Research Labs has observed sophisticated attack patterns where threat actors demonstrate extensive knowledge of SAP systems:
- Attackers probe multiple SAP system URLs for vulnerable instances
- After identifying a system vulnerable to CVE-2017-12637, they execute a simple GET request with path traversal techniques
- They immediately begin exfiltrating SAP system-specific files, including binary files like the SAP Secure Store
- Using publicly available tools, attackers decrypt the Secure Store to obtain highly privileged SAP credentials
- With these credentials, attackers gain full access to the SAP application through web interfaces or direct database connections
Despite being patched in 2017, some installations remain exposed due to the affected component being rebranded from SAP CPS V8 to SAP BPA V9 (as noted in SAP Note 2278834). There are complex implementation requirements beyond simply applying patches so vulnerable components potentially remain active despite patching.
In 2024, SAP released Note 3476549 highlighting that systems with patch levels higher than those in the original fix may still be vulnerable.
Organizations should review SAP Notes 2486657, 2278834, and 3476549, verify if the vulnerable component is still active in your environment. Then they should apply all necessary patches (ENGINEAPI 7.50 SP02, ENGINEAPI 7.50 SP03, ENGINEAPI 7.50 SP04, ENGINEAPI 7.50 SP05)
Alternatively, Organizations should consider deactivating or upgrading the vulnerable component.
