📄 Description (English)
OpenKM 6.3.12 contains a remote code execution vulnerability that allows authenticated administrators to execute arbitrary Java/BeanShell code through the /admin/Scripting endpoint. Attackers can submit malicious script content with an action=Evaluate parameter to execute operating system commands in the context of the OpenKM application server.
🤖 AI Executive Summary
OpenKM 6.3.12 contains a critical remote code execution vulnerability in its administrative scripting endpoint that allows authenticated administrators to execute arbitrary Java/BeanShell code and operating system commands. With a CVSS score of 7.2 and no available patch, this vulnerability poses an immediate threat to organizations using OpenKM for document management. The lack of exploit availability provides a narrow window for remediation before potential weaponization.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 30, 2026 13:00
🇸🇦 Saudi Arabia Impact Assessment
Saudi government entities, financial institutions, and large enterprises using OpenKM for document management and records retention face significant risk. High-impact sectors include: Banking sector (SAMA-regulated institutions managing sensitive financial documents), Government agencies (NCA, Ministry of Interior, Ministry of Finance managing classified and sensitive records), Healthcare organizations (MOH facilities managing patient records), Energy sector (ARAMCO and subsidiaries managing technical documentation), and Telecommunications (STC managing operational documents). The vulnerability is particularly dangerous as it requires only administrative access, which may be compromised through credential theft or insider threats common in regional threat landscapes.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare
Energy and Utilities
Telecommunications
Large Enterprises with Document Management Requirements
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.1
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all OpenKM 6.3.12 instances in your environment and document their network locations and data sensitivity levels
2. Restrict administrative access to OpenKM to only essential personnel; implement principle of least privilege
3. Disable or restrict access to the /admin/Scripting endpoint at the firewall/WAF level if possible
4. Monitor all administrative logins and script execution attempts
COMPENSATING CONTROLS (until patch available):
5. Implement network segmentation to isolate OpenKM servers from critical systems
6. Deploy Web Application Firewall (WAF) rules to block requests to /admin/Scripting endpoint with action=Evaluate parameters
7. Enable comprehensive audit logging for all administrative activities and script submissions
8. Implement IP whitelisting for administrative access
9. Enforce multi-factor authentication (MFA) for all administrative accounts
10. Monitor for suspicious Java/BeanShell code patterns in logs
DETECTION RULES:
- Alert on POST requests to /admin/Scripting with action=Evaluate parameter
- Monitor for unusual process spawning from OpenKM application server process
- Track failed and successful administrative authentication attempts
- Log all script submissions with content inspection for system command patterns (Runtime.exec, ProcessBuilder, etc.)
UPGRADE PLANNING:
- Contact OpenKM vendor immediately for patch availability timeline
- Prepare upgrade testing environment
- Plan migration to patched version as critical priority
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات OpenKM 6.3.12 في بيئتك وقم بتوثيق مواقعها على الشبكة ومستويات حساسية البيانات
2. قيد الوصول الإداري إلى OpenKM للموظفين الأساسيين فقط؛ طبق مبدأ أقل صلاحية
3. عطل أو قيد الوصول إلى نقطة النهاية /admin/Scripting على مستوى جدار الحماية/WAF إن أمكن
4. راقب جميع عمليات تسجيل الدخول الإدارية ومحاولات تنفيذ البرامج النصية
الضوابط التعويضية (حتى توفر التصحيح):
5. طبق تقسيم الشبكة لعزل خوادم OpenKM عن الأنظمة الحرجة
6. نشر قواعد جدار تطبيقات الويب (WAF) لحجب الطلبات إلى نقطة النهاية /admin/Scripting مع معاملات action=Evaluate
7. فعّل تسجيل التدقيق الشامل لجميع الأنشطة الإدارية وتقديم البرامج النصية
8. طبق القائمة البيضاء للعناوين IP للوصول الإداري
9. فرض المصادقة متعددة العوامل (MFA) لجميع الحسابات الإدارية
10. راقب أنماط كود Java/BeanShell المريبة في السجلات
قواعد الكشف:
- تنبيه على طلبات POST إلى /admin/Scripting مع معامل action=Evaluate
- مراقبة توليد العمليات غير المعتادة من عملية خادم تطبيق OpenKM
- تتبع محاولات المصادقة الإدارية الفاشلة والناجحة
- تسجيل جميع تقديمات البرامج النصية مع فحص المحتوى لأنماط أوامر النظام
تخطيط الترقية:
- اتصل بمورد OpenKM على الفور لمعرفة جدول توفر التصحيح
- جهز بيئة اختبار الترقية
- خطط للترقية إلى الإصدار المصحح كأولوية حرجة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Information Security Policies and Procedures
ECC 2024 A.6.1.1 - Access Control and Authentication
ECC 2024 A.6.2.1 - User Access Management
ECC 2024 A.12.2.1 - Restrictions on Software Installation
ECC 2024 A.12.6.1 - Management of Technical Vulnerabilities
🔵 SAMA CSF
SAMA CSF Governance - Risk Management Framework
SAMA CSF Protect - Access Control and Authentication
SAMA CSF Protect - System and Communications Protection
SAMA CSF Detect - Security Monitoring and Incident Detection
SAMA CSF Respond - Incident Response and Recovery
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for Information Security
ISO 27001:2022 A.6.1 - Organizational Controls
ISO 27001:2022 A.8.1 - User Endpoint Devices
ISO 27001:2022 A.8.3 - Access Control
ISO 27001:2022 A.12.2 - Software and Firmware Update Management
ISO 27001:2022 A.12.6 - Management of Technical Vulnerabilities
🟣 PCI DSS v4.0.1
PCI DSS 2.4 - Configuration Standards for System Components
PCI DSS 6.2 - Security Patches and Updates
PCI DSS 7.1 - Limit Access to System Components
PCI DSS 8.1 - User Identification and Authentication
🔗 References & Sources 7
🔗
🔗
🔗
🔗
🔗
🔗
🔗
https://github.com/terrasystemlabs/Exploits/tree/main/OpenKM-Exploits
disclosure@vulncheck.com
https://github.com/terrasystemlabs/Exploits/tree/main/OpenKM-Exploits/nuclei-templates/...
disclosure@vulncheck.com
https://hub.docker.com/r/openkm/openkm-ce
disclosure@vulncheck.com
https://terrasystemlabs.com/post?slug=openkm-zero-day-vulnerabilities-terra-system-labs
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/52520
disclosure@vulncheck.com
https://www.openkm.com/
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openkm-remote-code-execution-via-administrative-sc...
disclosure@vulncheck.com