CVE-2017-5586

CRITICAL

OpenText Documentum D2 4.x - Remote Code Execution via Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-5586. PoCs published by Andrey B. Panfilov.

AI-analyzed exploit summary This exploit leverages deserialization of untrusted data in OpenText Documentum D2 4.x to achieve remote code execution via a crafted serialized object containing a malicious BeanShell payload. The payload creates a superuser account in the underlying Documentum repository.

Description

OpenText Documentum D2 (formerly EMC Documentum D2) 4.x allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the BeanShell (bsh) and Apache Commons Collections (ACC) libraries.

Exploits (1)

exploitdb WORKING POC
by Andrey B. Panfilov · javaremotejava
https://www.exploit-db.com/exploits/41366

This exploit leverages deserialization of untrusted data in OpenText Documentum D2 4.x to achieve remote code execution via a crafted serialized object containing a malicious BeanShell payload. The payload creates a superuser account in the underlying Documentum repository.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: OpenText Documentum D2 version 4.x
No auth needed
Prerequisites: Network access to the target Documentum D2 instance · BeanShell and Apache Commons libraries present in the target environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/41366/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/96216

Scores

CVSS v3 9.8
EPSS 0.2255
EPSS Percentile 97.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20
Status published
Products (7)
opentext/documentum_d2 4.0
opentext/documentum_d2 4.1
opentext/documentum_d2 4.2
opentext/documentum_d2 4.3
opentext/documentum_d2 4.4
opentext/documentum_d2 4.5
opentext/documentum_d2 4.6
Published Feb 22, 2017
Tracked Since Feb 18, 2026