CVE-2015-9245

critical

Published 2017-10-31 · Modified 2026-05-13

CVSS v3

9.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

7.5

VIR risk

9.8

Description

Insecure default configuration in Progress Software OpenEdge 10.2x and 11.x allows unauthenticated remote attackers to specify arbitrary URLs from which to load and execute malicious Java classes via port 20931.

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://knowledgebase.progress.com/articles/Article/How-to-prevent-Java-RMI-class-loader-exploit-with-AdminServer

Application impact

Vendor	Product	Versions
progress	openedge	`10.2a`
progress	openedge	`10.2b`
progress	openedge	`10.2b07`
progress	openedge	`10.2b08`
progress	openedge	`11.0`
progress	openedge	`11.1`
progress	openedge	`11.2`
progress	openedge	`11.3`
progress	openedge	`11.4`
progress	openedge	`11.5`

References

https://knowledgebase.progress.com/articles/Article/How-to-prevent-Java-RMI-class-loader-exploit-with-AdminServer
https://knowledgebase.progress.com/articles/Article/How-to-prevent-Java-RMI-class-loader-exploit-with-AdminServer

CWEs

CWE-284

Verify integrity in audit chain (admin only). AS-IS.