Agorum core CVE-2025-52164
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Reading plaintext credentials requires access to the storage medium (config/DB/backups), so AV:L and PR:L; high confidentiality impact via disclosed secrets, no integrity or availability effect.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Software GmbH Agorum core open v11.9.2 & v11.10.1 was discovered to store credentials in plaintext.
AnalysisAI
Plaintext credential storage in agorum core open versions 11.9.2 and 11.10.1 exposes stored account credentials to anyone able to read the underlying storage, undermining the confidentiality of any account whose secrets are persisted by this German enterprise content and document management platform. The flaw, tracked as CWE-256 and reported in usd HeroLab advisory usd-2025-0023, carries a vendor/NVD CVSS of 8.2 but no public exploit identified at time of analysis and no CISA KEV listing. Disclosed credentials can be reused to impersonate users or pivot into connected systems.
Technical ContextAI
agorum core open is an open-source Enterprise Content Management (ECM) / Document Management System (DMS) developed by agorum Software GmbH, typically deployed as a self-hosted Java-based server managing documents, workflows, and user accounts. The root cause is CWE-256 (Plaintext Storage of a Password / Unprotected Storage of Credentials): rather than storing secrets as salted, one-way hashes or in an encrypted secret store, the affected versions persist credentials in cleartext. This means any actor or process able to read the credential store - configuration files, database tables, or backups - obtains directly usable passwords, with no cracking step required. The advisory references only versions 11.9.2 and 11.10.1, indicating specific releases of the product line were audited.
Affected ProductsAI
The vulnerability affects agorum core open (agorum Software GmbH) at versions 11.9.2 and 11.10.1 specifically, as identified in the usd HeroLab security advisory. No CPE strings were provided in the input to further constrain the affected configurations, and it is unclear whether other 11.x releases or the commercial 'agorum core pro' edition share the defect. The authoritative reference is the usd HeroLab advisory at https://herolab.usd.de/security-advisories/usd-2025-0023/.
RemediationAI
No vendor-released patch or fixed version is identified in the available data at time of analysis, so consult the usd HeroLab advisory (https://herolab.usd.de/security-advisories/usd-2025-0023/) and agorum's own channels for an updated release beyond 11.9.2 / 11.10.1 and upgrade as soon as one is published. As compensating controls, restrict filesystem and database access to the agorum credential store to the minimum service account (tightening OS/DB permissions and file ACLs, which is low-risk but must be validated against the application service account), encrypt data at rest and secure/rotate all backups so plaintext secrets are not exposed in snapshots, and rotate all credentials known to be stored by the platform on the assumption they may already be exposed. Where feasible, move authentication to an external identity provider (LDAP/SSO) so fewer secrets are persisted locally, accepting the integration effort as a trade-off.
Same weakness CWE-256 – Plaintext Storage of a Password
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today