Critical Zero‑Day Vulnerabilities Discovered in OpenKM Document Management Platform (Versions 6.3.12 & 7.1.47)
What Happened – Researchers at Terra System Labs disclosed multiple critical zero‑day flaws in OpenKM Community 6.3.12 and Pro 7.1.47 (and earlier releases). The vulnerabilities are exploitable via crafted GWT‑RPC requests, allowing unauthenticated remote code execution on both Windows and Linux Docker deployments.
Why It Matters for TPRM –
- OpenKM is widely used as a third‑party document‑management service across finance, healthcare, and government sectors.
- An active exploit means attackers can compromise any vendor‑hosted or customer‑hosted OpenKM instance, potentially exfiltrating sensitive documents.
- Lack of a CVE identifier can delay automated vulnerability‑management tooling, increasing exposure time.
Who Is Affected – Organizations that integrate OpenKM Community or Pro editions (document‑management, ECM, SaaS platforms, and any internal deployments). Primary industry impact: TECH_SAAS, FIN_SERV, HEALTH_LIFE, GOV_PUBLIC.
Recommended Actions –
- Inventory all OpenKM instances (self‑hosted, Docker, cloud).
- Apply the mitigation patches released by OpenKM (or upgrade to the latest supported version).
- Block unauthenticated GWT‑RPC traffic at the perimeter and enforce strict API authentication.
- Conduct a focused file‑integrity review for any files modified since the last known safe state.
Technical Notes – The exploit abuses insecure GWT‑RPC endpoints (/frontend/Workspace) to inject malicious payloads that execute arbitrary OS commands. No CVE has been assigned yet (CVE: N/A). Affected data includes any documents stored in the repository, user credentials, and potentially system configuration files. Source: Exploit‑DB 52520