EUVD-2025-209440

| CVE-2025-8095 CRITICAL
2026-04-14 ProgressSoftware
Information Disclosure Openedge
9.1
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:D/RE:M/U:Red
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Apr 14, 2026 - 17:02 vuln.today
CVSS Changed
Apr 14, 2026 - 14:22 NVD
9.1 (CRITICAL)

DescriptionNVD

The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform.  It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications.  OECH1 encodings should be considered exploitable and immediately replaced by any other supported prefix encoding, all of which are based on symmetric encryption.

AnalysisAI

Progress OpenEdge 12.2.0-12.2.18 and 12.8.0-12.8.9 expose stored passwords and secrets to decryption through cryptographically weak OECH1 prefix encoding. Remote unauthenticated attackers can exploit this weakness to recover obfuscated credentials and sensitive data (CVSS 9.1, VC:H/VI:H). No public exploit identified at time of analysis, but the vulnerability is automatable with total technical impact per SSVC framework, making credential harvesting straightforward once encoding is accessed.

Technical ContextAI

OECH1 is a proprietary obfuscation scheme used across Progress OpenEdge platform components (application server, database, middleware) to encode sensitive configuration values like passwords, API keys, and database connection strings. Unlike modern symmetric encryption-based encodings (AES, 3DES), OECH1 relies on reversible obfuscation algorithms susceptible to cryptanalysis and brute-force recovery. The vulnerability falls under CWE-257 (Storing Passwords in a Recoverable Format), where the encoding provides only superficial protection against credential extraction. OpenEdge products affected include both the 12.2.x LTS branch (versions 12.2.0 through 12.2.18) and 12.8.x current branch (12.8.0 through 12.8.9) per CPE cpe:2.3:a:progress_software_corporation:openedge. Configuration files, environment variables, and runtime parameters using OECH1-prefixed values are vulnerable wherever stored or transmitted. The cryptographic weakness is intrinsic to the algorithm design, not an implementation flaw, requiring migration to alternative encodings rather than patching.

RemediationAI

Progress Software mandates immediate replacement of all OECH1-encoded values with alternative symmetric encryption-based prefix encodings supported in current OpenEdge versions, including OESHA256, OEAES, or other vendor-approved schemes documented in the security advisory. Organizations should inventory all configuration files, environment variables, startup scripts, and database connection pools for OECH1-prefixed strings using vendor-provided scanning tools or custom regex patterns (search for OECH1: prefix in .properties, .xml, .ini files). Re-encode identified secrets using OpenEdge's proenv utility or Secrets Manager integration, then rotate underlying credentials to invalidate compromised values. Vendor advisory at https://community.progress.com/s/article/Unintended-Use-of-OECH1-for-Password-Secrets-Protection includes migration scripts and encoding conversion procedures. No drop-in patch exists as the flaw is architectural; remediation requires manual re-encoding and credential rotation across all OpenEdge deployments. Implement configuration file access controls, encrypt backups containing secrets, and audit code repositories for checked-in OECH1 values during remediation.

Share

EUVD-2025-209440 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy