“`html
.webp?w=1600&resize=1600,900&ssl=1){kind=link}
A significant security flaw has been identified in Progress OpenEdge, a system for creating and launching business applications.
The defect, classified as CVE-2025-7388, permits remote code execution (RCE) and impacts numerous versions of the software, potentially giving attackers the ability to run arbitrary commands with enhanced system privileges.
This vulnerability is found in the AdminServer element of OpenEdge, particularly in its Java Remote Method Invocation (RMI) interface, which is utilized for remote administrative tasks.
A security advisory indicates that the flaw enables an authenticated yet unauthorized user to alter configuration properties. This could result in OS command injection via the workDir parameter.
Malicious commands can be inserted by attackers, which are executed with the elevated privileges of the AdminServer process, typically running as NT AUTHORITY/SYSTEM on Windows platforms.
Progress OpenEdge AdminServer Vulnerability
Progress has rectified the vulnerability and launched patches in OpenEdge Long-Term Support (LTS) Updates 12.2.18 and 12.8.9.
The resolution involves two primary modifications: first, it sanitizes the workDir parameter by enclosing values in double quotes to avert command injection. Second, it deactivates the remote RMI functionality by default to diminish the attack surface.
All OpenEdge versions prior to these updates, including LTS Releases 12.2.17 and 12.8.8 and their previous minor versions, are vulnerable.
Systems operating on unpatched versions remain at considerable risk since inadequate authentication might permit attackers to breach the entire system.
For users who have implemented the patch, remote RMI will be disabled by default. Administrators who depended on this feature for remote operations will notice it no longer functions.
While it’s feasible to re-enable remote RMI, Progress cautions that this reinstates security dangers and should only be performed if there’s a compelling business justification, at the user’s own risk.
For organizations unable to promptly apply the updates, temporary mitigations are advised.
These include limiting network access to the AdminServer RMI port (default 20931) using firewalls, executing the AdminServer process with the minimum feasible privileges, and removing any unused AdminServer plugins to lessen potential attack vectors.
Nevertheless, these measures are intended solely for temporary use. Progress strongly recommends all customers to upgrade to the patched versions to comprehensively address the vulnerability.
Users of deprecated OpenEdge versions must upgrade to a currently supported release to access the fix.
“`