CVE-2025-7389
Received Received - Intake
OS-Level Access via RMI File Methods in OpenEdge AdminServer

Publication date: 2026-04-14

Last updated on: 2026-04-14

Assigner: Progress Software Corporation

Description
A vulnerability in the AdminServer component of OpenEdge on all supported platforms grants its authenticated users OS-level access to the server through the adopted authority of the AdminServer process itself.  The delegated authority of the AdminServer could allow its users the ability to read arbitrary files on the host system through the misuse of the setFile() and openFile() methods exposed through the RMI interface.  Misuse was limited only by OS-level authority of the AdminServer's elevated privileges granted and the user's access to these methods enabled through RMI.  The exploitable methods have been removed thus eliminating their access through RMI or downstream of the RMI registry.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-7389
EUVD
EUVD-2025-209437
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
progress openedge *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-552 The product makes files or directories accessible to unauthorized actors, even though they should not be.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability grants authenticated users OS-level access to the server with elevated privileges, potentially allowing unauthorized reading of arbitrary files on the host system. Such unauthorized access to sensitive data could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and protected health information.

Therefore, exploitation of this vulnerability could compromise compliance with these standards by exposing sensitive data to unauthorized users.

Executive Summary

This vulnerability exists in the AdminServer component of OpenEdge on all supported platforms. It allows authenticated users to gain operating system-level access to the server by leveraging the elevated privileges of the AdminServer process.

Specifically, users could misuse the setFile() and openFile() methods exposed through the RMI interface to read arbitrary files on the host system. The ability to exploit these methods was limited only by the OS-level authority granted to the AdminServer and the user's access to these methods via RMI.

The vulnerability has been addressed by removing these exploitable methods, thereby eliminating their access through RMI or downstream of the RMI registry.

Impact Analysis

This vulnerability can have serious impacts as it grants authenticated users elevated OS-level access to the server. This means that users could potentially read arbitrary files on the host system, which may include sensitive or confidential information.

Such unauthorized access could lead to data breaches, exposure of sensitive information, and compromise of the server's integrity and confidentiality.

Mitigation Strategies

The vulnerability arises from the misuse of the setFile() and openFile() methods exposed through the RMI interface in the AdminServer component of OpenEdge.

Immediate mitigation involves ensuring that the exploitable methods have been removed or disabled, thus eliminating their access through RMI or downstream of the RMI registry.

Since the vulnerability requires authenticated users and elevated privileges, restricting access to the AdminServer process and limiting user permissions can also help mitigate the risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-7389. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart