CVE-2025-7388: 
Progress OpenEdge vulnerability analysis and mitigation

A high-severity vulnerability (CVE-2025-7388) was discovered in Progress Software's OpenEdge AdminServer component. The vulnerability affects OpenEdge LTS Releases 12.2.17, 12.8.8, and all earlier versions, allowing authenticated users to perform Remote Command Execution (RCE) via the Java RMI interface. The flaw was disclosed on September 4, 2025, and received a CVSS score of 8.4 (High) (NVD, Security Online).

The vulnerability exists in the AdminServer component which supports Java RMI for remote administrative operations. The flaw allows manipulation of configuration properties, specifically through the workDir parameter passed as the –w jvmStart argument. The issue stems from improper sanitization of quoted strings, enabling OS command injection. While the RMI registry restricts access to registered stubs, it does not control the internal operations those stubs invoke, leading to potential command execution under the delegated authority of the AdminServer process (Security Online).

The vulnerability allows authenticated attackers to inject and execute operating system commands under the delegated authority of the AdminServer process. Since AdminServer typically runs with elevated privileges, successful exploitation could lead to significant system compromise. The flaw impacts both remote and local AdminServer clients, and even with restricted access, authenticated but unauthorized RMI requests could trigger RCE (Security Online).

Progress Software has released patches in OpenEdge LTS Update 12.2.18 and 12.8.9. The fixes include input sanitization for WorkDir values and RMI hardening by disabling remote RMI by default. For environments unable to patch immediately, recommended mitigations include: disabling Remote RMI, restricting RMI access with firewall rules, running AdminServer with least privilege, enabling JVM Security Manager, monitoring logs, and removing unused AdminServer plugins (Security Online).