Description
A vulnerability in the AdminServer component of OpenEdge on all supported platforms grants its authenticated users OS-level access to the server
through the adopted authority of the AdminServer process itself.  The delegated authority of the AdminServer could allow its users the ability to read arbitrary files on the host system through the misuse of the setFile() and openFile()
methods exposed through the RMI interface.  Misuse was limited only by OS-level authority of the AdminServer's elevated
privileges granted and the user's access to these methods enabled through RMI.  The exploitable methods have been removed thus eliminating their access through RMI or downstream of the RMI registry.
Published: 2026-04-14
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: Arbitrary file read with OS‑level privilege escalation
Action: Immediate Patch
AI Analysis

Impact

A recon of the AdminServer exposes two RMI methods—setFile() and openFile()—that were incorrectly implemented, allowing authenticated users to request the server to read any file on the underlying operating system. The privilege misassertion grants users full OS‑level read access, potentially exposing sensitive configuration files, credentials, or other data. This flaw matches the CWE‑552 pattern of unauthorized file access.

Affected Systems

The vulnerability affects Progress Software Corporation’s OpenEdge platform on all supported operating systems. All versions of OpenEdge that include the AdminServer component in the RMI interface are susceptible until the methods are removed.

Risk and Exploitability

The CVSS base score of 8.2 indicates a high severity level. No EPSS value is available, and the issue is not listed in the CISA KEV catalog. Exploitation requires authenticated network access to the AdminServer’s RMI services. Therefore, attackers who can obtain valid credentials or compromise an existing authenticated session can trigger the unauthorized file read, making the risk significant for any exposed RMI endpoint.

Generated by OpenCVE AI on April 14, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest OpenEdge release where the setFile and openFile methods have been removed from the AdminServer RMI interface.
  • If an upgrade is not immediately possible, limit the RMI interface to trusted network segments and enforce strict authentication policies.
  • Verify that the vulnerable methods are no longer exposed by testing the AdminServer RMI registry after applying the patch or configuration changes.

Generated by OpenCVE AI on April 14, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Progress Software Corporation
Progress Software Corporation openedge
Vendors & Products Progress Software Corporation
Progress Software Corporation openedge

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in the AdminServer component of OpenEdge on all supported platforms grants its authenticated users OS-level access to the server through the adopted authority of the AdminServer process itself.  The delegated authority of the AdminServer could allow its users the ability to read arbitrary files on the host system through the misuse of the setFile() and openFile() methods exposed through the RMI interface.  Misuse was limited only by OS-level authority of the AdminServer's elevated privileges granted and the user's access to these methods enabled through RMI.  The exploitable methods have been removed thus eliminating their access through RMI or downstream of the RMI registry.
Title Unauthorized Arbitrary File Read via RMI in AdminServer Interface
Weaknesses CWE-552
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Progress Software Corporation Openedge
cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-04-14T14:04:52.165Z

Reserved: 2025-07-09T13:01:22.716Z

Link: CVE-2025-7389

cve-icon Vulnrichment

Updated: 2026-04-14T14:04:00.698Z

cve-icon NVD

Status : Received

Published: 2026-04-14T14:16:10.263

Modified: 2026-04-14T14:16:10.263

Link: CVE-2025-7389

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:30Z

Weaknesses