README
Appian Security Research Notes
My personal research notes on Appian platform security. Started this after running into Appian during a pentest and realizing I didn't know much about it.
What's in here
- Appian Platform Overview - Basic stuff about what Appian is and how it works
- Known Vulnerabilities & CVEs - CVEs I found, some are pretty old but still relevant
- Security Testing Checklist - My pentesting checklist for Appian
- Defense & Mitigation - How to secure this thing
Quick notes for when I'm lazy
CVEs worth checking
- CVE-2025-50434 - Access control bug in Appian Enterprise BPM v25.3 (recent!)
- CVE-2007-6509 - DoS on port 5400, old but might still work
- CVE-2021-44228 - Log4j2, affects Appian components
- CVE-2022-22965 - Spring4Shell, also affects Appian
Default ports I've seen
- 5400/tcp - BPM Suite (DoS target)
- 8080/tcp - Web interface
- 8443/tcp - HTTPS interface
- 5432/tcp - PostgreSQL (usually)
Attack vectors that usually work
- Access control bypass (seems common)
- Input validation issues
- Third-party component vulns (Log4j2, Spring)
- Misconfigurations
- Session management problems
Why I made this
Got tired of googling the same stuff every time I see Appian. Now I have my own notes.