Remote Code Execution Vulnerability in Progress OpenEdge

FR-2025-001 - Remote Code Execution Vulnerability in Progress OpenEdge

Severity
High
Published Date
04-Sep-2025
Updated Date
04-Sep-2025
Vulnerabilities
CVE-2025-7388
 
Notes
Description

An OS command injection vulnerability in Progress OpenEdge allows authenticated remote attackers to execute system commands in the context of NT AUTHORITY/SYSTEM.

 

Vulnerabilities

 
Remote Code Execution Vulnerability in Progress OpenEdge
Severity
High
CVE
CVE-2025-7388
CWE
CWE-77:Improper Neutralization of Special Elements used in a Command ('Command Injection')
Discovery Date
04-Nov-2024
CSSv3.1
8.4 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L)
Affected Products
Progress OpenEdge 12.8.8 and earlier
Progress OpenEdge 12.2.17 and earlier
Vulnerability Notes
Details

Timeline

  • 2024-12-09 – Fortra reported to Progress Software via BugCrowd with a POC. 

  • 2024-12-11 – Progress Software indicated that OpenEdge development had reproduced and confirmed the vulnerability. 

  • 2025-01-21 – Fortra asked when a fix would be available. 

  • 2025-02-10 – Progress Software provided a timeline for fixes. 

  • 2025-06-25 – Progress Software replied with adjusted GA dates.

  • 2025-07-21 – Progress Software confirmed that they were on track for a July 29 delivery date and provided the CVE-2025-7388 with CVSS score of 8.4 and vector AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L. 

  • 2025-07-21 – Fortra replied that we would hold any publication until after we see the CVEs are publicly available. 

  • 2025-07-28 – Progress Software delayed OpenEdge 12.2.18 release until mid-August. 

  • 2025-08-15 – Progress Software released OpenEdge 12.2.18 

  • 2025-09-04 – Progress Software publishes CVE and product alert.

 
References
 

Acknowledgements

Fortra would like to thank the following individuals:

  • Marcos Accossatto