Agorum Core CVE-2025-52168
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Arbitrary file read on an ECM server warrants C:H; no write capability is described, so I:N; unauthenticated network access confirmed by description and PR:N.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Incorrect access control in the dynawebservice component of agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 allows unauthenticated attackers to access arbitrary files on the system.
AnalysisAI
Unauthenticated arbitrary file read in Agorum Core open v11.9.2 and v11.10.1 exposes the underlying filesystem to any network-accessible attacker via the dynawebservice component. The access control failure (CWE-284) requires no authentication, no user interaction, and no special configuration - any exposed instance of these two specific versions is vulnerable. No public exploit code or CISA KEV listing exists at time of analysis, but the zero-prerequisite network vector makes this trivially exploitable once an attacker identifies the endpoint, and the ECM context means sensitive documents, credentials, and configuration files are likely stored on the affected system.
Technical ContextAI
Agorum Core is an open-source enterprise content management (ECM) system developed by agorum Software GmbH, designed for document management and workflow automation. The affected component, dynawebservice, is a web service interface exposed by the platform for programmatic access. CWE-284 (Improper Access Control) identifies the root cause as a missing or bypassable authorization enforcement layer on file retrieval operations within this endpoint - the service does not verify whether the requestor is authenticated before serving file contents. This class of flaw typically arises from authentication middleware being applied inconsistently across route handlers, or from a dedicated endpoint that was designed for internal use but inadvertently exposed without access controls. Affected versions are confirmed as v11.9.2 and v11.10.1; no CPE strings were provided in the available data.
Affected ProductsAI
Agorum Core open version 11.9.2 and version 11.10.1, developed by agorum Software GmbH, are confirmed affected through the dynawebservice component. No CPE strings were included in the available intelligence data. Other versions of Agorum Core are not confirmed affected or unaffected by the available data and should be assessed against the vendor advisory. The usd HeroLab security advisory at https://herolab.usd.de/security-advisories/usd-2025-0022/ is the primary reference for authoritative affected version scope.
RemediationAI
Consult the usd HeroLab advisory at https://herolab.usd.de/security-advisories/usd-2025-0022/ as the authoritative source for patch details - no explicit patched version number was present in the available intelligence data, so a confirmed fixed release cannot be cited here. As an immediate compensating control, restrict network access to the dynawebservice endpoint using a reverse proxy, WAF rule, or firewall ACL to permit only trusted internal IP ranges; note that this may break legitimate API integrations relying on dynawebservice and should be tested before broad deployment. If the dynawebservice component is not actively used in your environment, disabling or removing it eliminates the attack surface entirely without impacting core ECM functionality, though dependent automation workflows must be inventoried first. For internet-facing deployments that cannot be patched or isolated immediately, placing the Agorum instance behind a VPN gateway is the highest-impact temporary control, preventing unauthenticated public access entirely.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today