SB20260422181 - Arbitrary file read in Progress OpenEdge
Published: April 22, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper access control (CVE-ID: CVE-2025-7389)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in the AdminServer RMI interface when handling file access methods. A local user can invoke exposed RMI methods to disclose sensitive information.
The issue affects validated OS users because the AdminServer process performs file access with its own delegated authority, which can bypass normal OS-level file permission checks.
Remediation
Install update from vendor's website.