Progress Patches Remote Command Execution Flaw in OpenEdge AdminServer (CVE-2025-7388)

Progress Software has released patches for a high-severity vulnerability in the OpenEdge AdminServer component, tracked as CVE-2025-7388 (CVSS 8.4). The flaw affects OpenEdge LTS Releases 12.2.17, 12.8.8, and all earlier versions, enabling attackers to achieve Remote Command Execution (RCE) via the Java RMI interface.

The AdminServer component supports Java RMI for remote administrative operations, but this also introduces inherent risks. According to Progress, “a product vulnerability, CVE-2025-7388, in the OpenEdge AdminServer component allowed Remote Command Execution (RCE) via the Java RMI interface.”

Because AdminServer typically runs with elevated privileges, malicious requests could exploit exposed RMI stubs, invoking downstream logic not properly controlled by the OS security system.

Progress explains, “the downstream exposures from RMI permitted manipulation of configuration properties, leading to OS command injection through the workDir parameter passed as the –w jvmStart argument. Since quoted strings were not being properly sanitized, attackers could manipulate quotes to inject OS commands.”

The flaw impacts both remote and local AdminServer clients. Even with restricted access, authenticated but unauthorized RMI requests could still trigger RCE.

Progress notes that “while the RMI registry restricts access to registered stubs, it does not control the internal operations those stubs invoke. The vulnerability reflects a broader class of risks tied to insecure Java RMI usage.”

The affected and fixed versions include

• Vulnerable: OpenEdge 12.2.17 and earlier, 12.8.8 and earlier.
• Fixed: OpenEdge LTS Update 12.2.18 and 12.8.9.

The patch addresses the issue through two key changes:

• Input sanitization – WorkDir values are now forcibly enclosed in double quotes, stripping any injected quotes before processing.
• RMI hardening – Remote RMI is disabled by default in AdminServer configurations, reducing attack exposure.

Progress strongly advises customers to upgrade, stating: “All prior versions of OpenEdge—including earlier versions of currently supported LTS releases—are subject to RCE risks. Customers are strongly advised to apply the patch to ensure that parameter value sanitization neutralizes this attack risk and remote RMI is disabled when remote access is not required.”

For environments unable to patch immediately, Progress suggests:

• Disable Remote RMI entirely, especially in production.
• Restrict RMI access with firewall rules, alternative ports, and trusted IP whitelisting.
• Run AdminServer with least privilege using a dedicated service account.
• Enable JVM Security Manager with restrictive policies.
• Monitor logs and audit RMI calls for unusual activity.
• Remove unused AdminServer plugins to reduce the RMI attack surface.

Related Posts:

• CVE-2024-1403 (CVSS 10): Critical Progress OpenEdge Vulnerability
• CVE-2023-37895: A Critical Remote Code Execution in Apache Jackrabbit
• CVE-2023-40051: Critical Progress OpenEdge Vulnerability Threatens Server Security
• CVE-2022-37021/CVE-2022-37022/CVE-2022-37023: Apache Geode RCE flaws
• Critical Vulnerabilities in Progress WhatsUp Gold Demand Immediate Action