CVE-2025-7388

HIGH 8.4

Authenticated Command Injection via configuration parameter manipulation in exposed RMI interface

CVSS Score

8.4

EPSS Score

0.0%

EPSS Percentile

0th

It was possible to perform Remote Command Execution (RCE) via Java RMI interface in the OpenEdge AdminServer, allowing authenticated users to inject and execute OS commands under the delegated authority of the AdminServer process. An RMI interface permitted manipulation of a configuration property with inadequate input validation leading to OS command injection.

CWE	CWE-77
Vendor	progress software corporation
Product	openedge
Published	Sep 4, 2025
Last Updated	Feb 26, 2026

Stay Ahead of the Next One

Get instant alerts for progress software corporation openedge

Be the first to know when new high vulnerabilities affecting progress software corporation openedge are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Affected Versions

Progress Software Corporation / OpenEdge

OpenEdge 12.2.0 < 12.2.18 OpenEdge 12.8.0 < 12.8.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

community.progress.com: https://community.progress.com/s/article/Important-RCE-Security-Update-for-OpenEdge-AdminServer