Pre-authenticated Remote Code Execution in cs.exe (OpenText™ Server Component)


Pre-authenticated Remote Code Execution in cs.exe


OpenText™ Content Server component of OpenText™ Extended ECM

Vulnerable Version

20.4 - 22.3

Fixed Version


CVE Number







Armin Stock (Atos) | SEC Consult Vulnerability Lab

There is a vulnerability in the “cs.exe” program of the OpenText™ Content Server component of OpenText™ Extended ECM, which allows an attacker to create an object with a fake “vftable” and execute arbitrary code by abusing a DLL which was compiled without ASLR.

Vendor description

"OpenText™ Extended ECM is an enterprise CMS platform that securely governs the information lifecycle by integrating with leading enterprise applications, such as SAP®, Microsoft® 365, Salesforce and SAP SuccessFactors®. Bringing content and processes together, Extended ECM provides access to information when and where it’s needed, improves decision-making and drives operational effectiveness."



Business recommendation

The vendor provides a patch which should be installed immediately.


Vulnerability Overview/Description

1) Pre-authenticated Remote Code Execution in cs.exe (CVE-2022-45923)

The Common Gateway Interface (CGI) program cs.exe of the Content Server has a vulnerability, which allows an attacker to increase/decrease an arbitrary memory address by 1 and to trigger a call to a method of a vftable with a vftable pointer value chosen by the attacker.

The cs.exe does de-serialize (crack) the user provided data in the `_fInArgs` parameter, if the parameter `_ApiName` is set. During this de-serialization to a `class KOSValue` object, the function `obj_ref_cracker` can be called. This function tries to create a new `class KOSValue` object with an unknown class ID of `3`.

As the class ID is unknown the function returns an object of type KOSValueBaseClass instead of KOSObjRefClass, but the value of the class_ptr attribute of the new class KOSValue object is controlled by the attacker. This new object can then be used to increase/decrease arbitrary memory addresses and call methods of its vftable via the functions KOSValueBaseClass::AddReference and KOSValueBaseClass::ReleaseReference.


Proof of concept

1) Pre-authenticated Remote Code Execution in cs.exe (CVE-2022-45923)

The following request crashes the `CGI` binary cs.exe with an access violation exception - 0xC0000005 trying to read memory from address 0xAAAA+8:

[ PoC removed, will be published at a later date ]

There are .dll files (libaprutil-1 & libapriconv-1.dll) which are not compiled with the security flag Address Space Layout Randomization - ASLR enabled, which can be used to achieve remote code execution.

.\winchecksec.exe --json (get-item C:\OPENTEXT-22\cgi\*.dll) > .\checksec-results.json
cat checksec-results.json | jq -r '.[] | [.path, .mitigations.aslr.presence] | @csv'



Vulnerable / tested versions

The following version has been tested:

  • 22.1 (

The following versions are vulnerable according to the vendor:

  • 20.4 - 22.3


Vendor contact timeline

2022-10-07 Vendor contacted via
2022-10-07 Vendor acknowledged the email and is reviewing the reports
2022-11-18 Vendor confirms all vulnerabilities and is working on a patch aimed to be released in November
2022-11-24 Vendor delays the patch "few days/weeks into December"
2022-11-25 Requesting CVE numbers (Mitre)
2022-12-15 Vendor delays the patch and provides a release date January 16th 2023
2023-01-17 Public release of security advisory


Upgrade to at least version 22.4 or apply hotfixes which can be downloaded at the vendor's page:




Advisory URL

EOF Armin Stock / @2022

Interested to work with the experts of SEC Consult? Send us your application

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices