LiveActive security incident?Get immediate response
CVE Record

CVE-2017-17677: BMC Remedy 9.1SP3 is affected by authenticated code execution.

BMC Remedy 9.1SP3 is affected by authenticated code execution. Authenticated users that have the right to create reports can use BIRT templates to run code.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2017-17677 is an authenticated code execution issue in BMC Remedy 9.1SP3. A user who can create reports may be able to use BIRT templates to run code. This is mainly an insider, compromised-account, or over-privileged-user risk, but the impact can be serious where Remedy is business-critical.

Executive priority

Prioritize assessment if Remedy 9.1SP3 supports service management, operations, or regulated workflows. The issue requires privileges, but successful abuse could turn a normal account into code execution on a sensitive enterprise platform.

Technical view

The CVE describes code execution through BIRT report templates in BMC Remedy 9.1SP3, requiring authentication and report-creation rights. No CVSS, CWE, detailed affected CPEs, or confirmed exploitation are provided in the source bundle. BMC published a Remedy AR System security fixes page, but exact remediation details are not included here.

Likely exposure

Organizations running BMC Remedy 9.1SP3 are potentially exposed, especially where many users can create reports or upload/manage BIRT templates. Exposure is lower where reporting rights are tightly limited and vendor fixes are applied.

Exploitation context

The source bundle supports authenticated code execution by users with report-creation rights. It does not support active exploitation, public weaponized exploitation, unauthenticated access, or broad version impact beyond the named Remedy 9.1SP3 description.

Researcher notes

The public record is sparse: severity, CVSS, CWE, CPEs, and detailed fixed versions are absent from the bundle. Treat the Full Disclosure reference as context, but rely on BMC guidance for remediation confirmation.

Mitigation direction

  • Check BMC guidance for the Remedy AR System security fixes referenced by the CVE.
  • Apply relevant vendor fixes or upgrades for affected Remedy AR System deployments.
  • Restrict report-creation rights to trusted administrative users only.
  • Review whether BIRT template use can be limited or disabled safely.
  • Monitor for unexpected report template changes or unusual report execution activity.

Validation and detection

  • Inventory BMC Remedy deployments and confirm whether version 9.1SP3 is present.
  • Review user and group permissions for report creation rights.
  • Check whether BIRT templates are enabled or accepted in reporting workflows.
  • Confirm patch status against the referenced BMC security fixes page.
  • Review audit logs for unexpected report or template creation activity.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2017-17677 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
3Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.