EUVD-2025-209437
GHSA-xvm8-45r5-rf28
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionNVD
A vulnerability in the AdminServer component of OpenEdge on all supported platforms grants its authenticated users OS-level access to the server through the adopted authority of the AdminServer process itself. The delegated authority of the AdminServer could allow its users the ability to read arbitrary files on the host system through the misuse of the setFile() and openFile() methods exposed through the RMI interface. Misuse was limited only by OS-level authority of the AdminServer's elevated privileges granted and the user's access to these methods enabled through RMI. The exploitable methods have been removed thus eliminating their access through RMI or downstream of the RMI registry.
AnalysisAI
Progress OpenEdge AdminServer exposes authenticated RMI methods allowing arbitrary file reads with escalated OS privileges across versions 12.2.0-12.2.18. Authenticated administrators can abuse setFile() and openFile() RMI methods to read sensitive files beyond their intended access level, leveraging the AdminServer process's elevated system permissions. EPSS data not available; no CISA KEV listing indicates no confirmed active exploitation, though SSVC marks exploitation status as 'none' with partial technical impact. The vulnerable methods have been removed in patched versions.
Technical ContextAI
OpenEdge AdminServer provides administrative RMI (Remote Method Invocation) interfaces for managing the application server infrastructure. The vulnerability stems from CWE-552 (Files or Directories Accessible to External Parties), where the setFile() and openFile() RMI methods were exposed without adequate authorization boundaries. These methods operate under the security context of the AdminServer process, which typically runs with elevated OS privileges to manage server resources. When authenticated administrative users invoke these methods through the RMI registry, they inherit the AdminServer's elevated authority rather than being constrained by their own OS-level permissions. This privilege adoption mechanism, combined with insufficient input validation on file paths, creates a path traversal condition allowing arbitrary file system access. The RMI interface acts as a privilege escalation vector, transforming authenticated administrative access into broader system-level file read capabilities. Affected products include Progress OpenEdge versions 12.2.0 through 12.2.9 and 12.8.0 through 12.2.18 across all supported platforms (Windows, Linux, Unix variants).
RemediationAI
Apply the vendor-released security update available through the Progress Community advisory at https://community.progress.com/s/article/Important-Arbitrary-File-Ready-Security-Update-for-OpenEdge-AdminServer. The patch removes the exploitable setFile() and openFile() methods from the RMI interface, eliminating their accessibility through the RMI registry and downstream invocation paths. Organizations should upgrade to the patched versions specified in the advisory for their respective branch (12.2.x or 12.8.x series). As an interim mitigation, restrict network access to AdminServer RMI ports (default 20931) using firewall rules to trusted management networks only, implement strict administrative credential rotation policies, and monitor AdminServer logs for unusual file access patterns. Review and minimize the number of accounts with AdminServer administrative privileges following least-privilege principles. Verify that the AdminServer process runs with minimum necessary OS permissions where platform security policies allow reduction of its authority.
Share
External POC / Exploit Code
Leaving vuln.today