OpenKM Remote Code Execution Vulnerability in Administrative Scripting Interface

A remote code execution vulnerability has been identified in OpenKM versions 6.3.12 and 7.1.47 prior to 7.1.48. This vulnerability allows authenticated administrators to execute arbitrary Java/BeanShell code through the '/admin/Scripting' endpoint. Exploitation involves submitting malicious scripts with the 'action=Evaluate' parameter, which executes operating system commands within the context of the OpenKM application server.

Impact

Exploitation of this vulnerability leads to full server compromise, allowing attackers to execute arbitrary operating system commands, spawn reverse shells, read and modify server files, install persistent malware, and perform lateral movement within the network.

Reproduction

To reproduce this vulnerability, log into the OpenKM admin account. Navigate to the 'Scripting' section under 'Administration'. Once there, enter BeanShell code into the provided textarea. After inputting the code, click the 'Evaluate' button to execute it. For demonstration, a snippet can be used that runs the 'whoami' command, showcasing the execution of arbitrary commands via this vulnerability.