Thought Leadership
Onapsis Research Labs has made an alarming discovery: the SAP vulnerability CVE-2017-12637 is currently being actively exploited. Cybercriminals are using the vulnerability to gain access to critical SAP configuration files – with potentially devastating consequences.
What is behind SAP vulnerability CVE-2017-12637?
The vulnerability allows attackers to extract system files via a cross-directory leak. Particularly sensitive: This also includes login information or the SAP Secure Store. A complete compromise of the system is therefore possible.
Warning from CISA – companies should act
The U.S. Cybersecurity and Critical Infrastructure Agency (CISA) issued an explicit warning on March 19, 2025 that the vulnerability was being actively exploited. Onapsis identified the threat via its global SAP Threat Intelligence Network and informed both SAP and CISA.
An old patch does not always protect
Although SAP provided a patch for the vulnerability back in 2017, it remains a risk in some installations. In 2024, SAP determined that some systems may still be at risk despite patches.
High threat level for companies
The vulnerability affects the SAP Netweaver AS Java Application Server, which is often used for internet-based applications. With a CVSSv3 risk score of 7.7, it is considered highly dangerous. As an unauthenticated attacker can use it to take over the entire system, immediate remediation is crucial.
Companies should urgently check whether their systems are adequately protected – before it is too late.
You can find more information on the Onapsis blog.
(vp/Onapsis)
