Skip to content
cybersecurity NicoElNino AlamyStockPhoto

Active Exploitation of SAP Vulnerability CVE-2017-12637 Putting Things in Perspective

760a5ca355c4ffa110e269cc4e32d5c3?s=96&d=mm&r=g
Joris van de Vis
Director security research
March 26, 2025
3 min read

Chapters

Share Article

Let's Talk SAP Security

Have questions about SAP Security? We’re here to help. Contact Us

On March 19, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added SAP vulnerability CVE-2017-12637 to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation. This warning indicates that specific vulnerabilities are being exploited ‘in the wild’. 

While we strongly encourage customers to assess their exposure and take appropriate action, let’s put the situation into perspective as the number of affected customers seems limited. 

What’s the Risk? 

To be able to better understand what the above means for customers, we would like to list the specific situations in which you are at risk. The risk level varies (for example based on if your SAP systems are internet exposed) but appears limited due to the specific conditions required for vulnerability: 

  • Your SAP landscape includes Java systems 
  • You installed the SAP job scheduling add-on (Software Component: ETPRJSCHEDULER) 
  • You use an outdated version of this add-on (SAP CPS Job Scheduler version 8), which was discontinued in 2020 

 

Initial analysis suggests that only a small subset of customers meet all these criteria.  

No public data has been shared regarding the frequency, origin, or methods of exploitation, which makes it difficult to assess the threat’s scale. However, since ETPRJSCHEDULER is not part of the default AS Java deployment, and the affected version is long outdated, the overall exploitation risk is considered low. 

That said, if your environment still includes SAP CPS 8.0, swift action is advised—the likelihood may be low, but the potential impact is high. Even though the original SAP Security note 2486657that was released as a first patch, only has a CVSS score of 7.7, a full system compromise is at risk because the vulnerability allows to retrieve sensitive files, like the SAP Secure store files that contain credentials to access the SAP system. 

Resolution Steps 

Refer to SAP Note 3476549 for technical details. The vulnerability affects the ETPRJSCHEDULER component from the deprecated “SAP CPS 8.0 by Redwood” product, which has been replaced by SAP BPA 9.0. 

If You Still Use Redwood (CPS 8.0): 

  • Upgrade to BPA 9.0 following: 
    SAP Note 2278834 – Upgrading from SAP CPS V8 to SAP BPA V9 

If You Don’t Use It: 

  • The application can be disabled: 
  • Default from version 750 SP27 onwards: 
    SAP Note 3274660 – Disabled applications in ETPRJSCHEDULER.SCA 
  • Manual disabling (without SP upgrade): 
    SAP Note 1592936 – How to disable SAP CPS on NW AS Java 

 

SecurityBridge customers can also search for relevant Software Component with our Patch Management Tool feature and locate the Software Component ‘ETPRJSCHEDULER’: 


wcmWK1atBOeeAAAAABJRU5ErkJggg==

 

For more information on thic topic, see these resources: 

 

🔒 Stay Informed 
For more updates on SAP security news, technical articles, and whitepapers, follow us on LinkedIn.