A critical security flaw, CVE-2025-7388, has been discovered in the Progress OpenEdge AdminServer, allowing authenticated but unauthorized users to achieve remote code execution (RCE) through its Java RMI interface Progress CommunityNVDCyber Security NewsDaily CyberSecurity.
Key Details
- The vulnerability exploits insufficient input validation in the
workDirparameter, enabling OS command injection via manipulation of configuration properties Cyber Security NewsDaily CyberSecurity. - Because the AdminServer often runs with elevated system privileges (e.g., NT AUTHORITY/SYSTEM on Windows), successful exploitation can allow execution of arbitrary commands with high privileges Cyber Security NewsDaily CyberSecurity.
- The vulnerability affects OpenEdge LTS versions prior to 12.2.18 and 12.8.9, including 12.2.17, 12.8.8, and possibly earlier, as well as other minor releases Cyber Security NewsDaily CyberSecurity.
Mitigation & Patching
Progress has released updates that both address the vulnerability and strengthen default settings:
- Input sanitization — The
workDirparameter is now enclosed in double quotes, neutralizing injection attempts. - RMI hardening — Remote RMI is disabled by default, reducing attack surface Cyber Security NewsDaily CyberSecurity.
Affected versions:
- Vulnerable: 12.2.17 and earlier; 12.8.8 and earlier.
- Fixed in: LTS Updates 12.2.18 and 12.8.9 Cyber Security NewsDaily CyberSecurity.
Temporary Mitigations (Until Patching)
While updating is strongly recommended, organizations unable to patch immediately can apply short-term mitigations:
- Disable remote RMI access entirely, particularly in production environments.
- Restrict network access to the AdminServer RMI port (default 20931) via firewalls or IP whitelisting.
- Run the AdminServer with least privilege, using a dedicated service account with minimal rights.
- Remove any unused plugins from AdminServer to shrink its attack surface.
- Monitor logs and audit RMI activity for anomalies.
- Where supported, enable the JVM Security Manager and enforce restrictive policies Cyber Security NewsDaily CyberSecurity.
Summary Table
| Aspect | Details |
|---|---|
| Vulnerability | Authenticated RCE via workDir injection in AdminServer RMI |
| Risk Level | High (CVSS 3.1 score: 8.4) |
| Affected Versions | < 12.2.18, < 12.8.9 (LTS Releases 12.2.17, 12.8.8, and earlier) |
| Fix Available | LTS updates 12.2.18 and 12.8.9 |
| Permanent Fix | Input sanitization; remote RMI disabled by default |
| Temporary Mitigations | Disable RMI, firewall rules, least privilege, plugin removal, monitoring |
Why It Matters
- The combination of RMI, insufficient sanitization, and high process privileges presents a potent risk for organizations relying on OpenEdge.
- The ease of exploitation (requiring only low privileges and no user interaction) underscores the importance of swift action.
- While disabling RMI reduces functionality, it’s a safer default—re-enabling it should be done only with strong compensating controls.
Cyberdudebivash 
Leave a comment