The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-7389

CVE-2025-7389: OpenEdge AdminServer Privilege Escalation

CVE-2025-7389 is a privilege escalation vulnerability in OpenEdge AdminServer that allows authenticated users to read arbitrary files with elevated OS-level privileges. This article covers technical details, affected versions, impact, and mitigation strategies.

Published: April 17, 2026

CVE-2025-7389 Overview

A vulnerability in the AdminServer component of Progress OpenEdge grants authenticated users OS-level access to the server through the adopted authority of the AdminServer process itself. The delegated authority of the AdminServer could allow users the ability to read arbitrary files on the host system through the misuse of the setFile() and openFile() methods exposed through the RMI interface. Misuse was limited only by OS-level authority of the AdminServer's elevated privileges granted and the user's access to these methods enabled through RMI.

Critical Impact

Authenticated attackers can read arbitrary files on the host system, potentially exposing sensitive configuration files, credentials, database contents, and other confidential data stored on the server.

Affected Products

  • Progress OpenEdge AdminServer (all supported platforms)
  • Systems exposing AdminServer RMI interface to authenticated users
  • Environments with elevated AdminServer process privileges

Discovery Timeline

  • 2026-04-14 - CVE-2025-7389 published to NVD
  • 2026-04-14 - Last updated in NVD database

Technical Details for CVE-2025-7389

Vulnerability Analysis

This vulnerability is classified under CWE-552 (Files or Directories Accessible to External Parties), representing a significant information disclosure risk. The AdminServer component in Progress OpenEdge exposes Java RMI (Remote Method Invocation) methods that were intended for legitimate administrative operations but can be abused to read arbitrary files from the underlying operating system.

The core issue stems from the AdminServer process running with elevated privileges on the host system. When authenticated users invoke the setFile() and openFile() methods through the RMI interface, these operations execute with the AdminServer's privilege level rather than the user's actual permissions. This privilege inheritance model creates a dangerous scenario where an authenticated user with limited actual permissions can leverage the AdminServer's elevated context to access files they should not be able to read.

The vulnerability requires network access and authenticated user credentials to exploit, but once these prerequisites are met, the attacker gains read access to any file accessible to the AdminServer process. Given that administrative services typically run with high privileges, this often translates to system-wide file read capabilities.

Root Cause

The root cause of this vulnerability lies in the exposure of file system operations (setFile() and openFile() methods) through the RMI interface without adequate access control validation. The AdminServer failed to verify whether the authenticated user should have permission to access the requested files, instead relying solely on the process's own elevated privileges to perform file operations. This architectural flaw allowed authenticated users to inherit the AdminServer's file system access capabilities through RMI method calls.

Attack Vector

The attack vector involves an authenticated user connecting to the AdminServer's RMI interface over the network. The attacker leverages their authenticated session to invoke the setFile() method to specify a target file path, followed by openFile() to retrieve the contents of that file. The AdminServer processes these requests using its own elevated privileges, bypassing any file system permissions that would normally restrict the authenticated user's access.

The vulnerability is exploited through the following mechanism:

  1. Attacker authenticates to the OpenEdge AdminServer using valid credentials
  2. Attacker connects to the RMI registry and obtains a reference to the AdminServer remote object
  3. Attacker invokes setFile() with a path to a sensitive file (e.g., /etc/shadow, configuration files, or application secrets)
  4. Attacker calls openFile() to retrieve and read the file contents
  5. The AdminServer executes these operations with its elevated privileges, returning data the user should not access

Detection Methods for CVE-2025-7389

Indicators of Compromise

  • Unusual RMI connections to AdminServer from unexpected network locations or user accounts
  • Log entries showing setFile() or openFile() method invocations targeting sensitive system files
  • Access attempts to files outside normal application directories (e.g., /etc/passwd, /etc/shadow, Windows SAM files)
  • Spike in AdminServer RMI activity from authenticated sessions that typically have limited operations

Detection Strategies

  • Monitor AdminServer logs for file access operations targeting sensitive system paths
  • Implement network detection rules to identify RMI traffic patterns associated with file enumeration
  • Deploy file integrity monitoring (FIM) on critical system files to detect unauthorized read attempts
  • Enable verbose logging on AdminServer components to capture method invocation details

Monitoring Recommendations

  • Configure SIEM rules to alert on AdminServer file access operations outside normal working directories
  • Establish baseline RMI activity patterns and alert on deviations indicating potential exploitation
  • Monitor for authentication attempts followed by unusual file system query patterns
  • Implement user behavior analytics (UBA) to detect authenticated users accessing files inconsistent with their role

How to Mitigate CVE-2025-7389

Immediate Actions Required

  • Apply the security update from Progress that removes the exploitable setFile() and openFile() methods from the RMI interface
  • Audit AdminServer access logs to identify any potential past exploitation attempts
  • Review user accounts with AdminServer authentication privileges and remove unnecessary access
  • Implement network segmentation to restrict AdminServer RMI access to trusted administrative networks only

Patch Information

Progress has released a security update that removes the vulnerable setFile() and openFile() methods from the RMI interface, eliminating access through RMI or downstream of the RMI registry. Detailed patch information and download links are available in the Progress Security Update Announcement.

Organizations should prioritize applying this update to all affected OpenEdge AdminServer installations. The patch completely removes the exploitable methods rather than adding additional access controls, providing a definitive remediation.

Workarounds

  • Restrict network access to the AdminServer RMI interface using firewall rules to limit exposure to trusted IP addresses only
  • Run the AdminServer process with minimal required privileges to limit the scope of accessible files if exploitation occurs
  • Implement additional authentication layers such as VPN requirements before AdminServer access is permitted
  • Monitor and audit all AdminServer RMI connections until the patch can be applied

Administrators should review the AdminServer's running privilege level and consider running it with reduced permissions where operationally feasible. Network-level controls should be implemented immediately to restrict RMI interface access while patching is scheduled.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePrivilege Escalation
  • Vendor/TechOpenedge
  • SeverityHIGH
  • CVSS Score8.2
  • EPSS Probability0.04%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-552
  • Technical References
  • Progress Security Update Announcement
  • Related CVEs
  • CVE-2025-8095: OpenEdge OECH1 Encoding Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English