{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8095", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2025-07-23T16:36:12.176Z", "datePublished": "2026-04-14T13:13:43.739Z", "dateUpdated": "2026-04-14T13:53:51.682Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2026-04-14T13:13:43.739Z"}, "title": "Recoverable obfuscation using the OECH1 prefix encoding in OpenEdge", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-257", "description": "CWE-257", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-21", "descriptions": [{"lang": "en", "value": "CAPEC-21 Exploitation of Trusted Identifiers"}]}], "affected": [{"vendor": "Progress Software Corporation", "product": "OpenEdge", "platforms": ["Windows", "Linux", "64 bit", "32 bit"], "modules": ["OpenEdge Platform Prefix Encodings"], "versions": [{"status": "affected", "version": "12.2.0", "lessThanOrEqual": "12.2.18", "versionType": "custom"}, {"status": "affected", "version": "12.8.0", "lessThanOrEqual": "12.8.9", "versionType": "custom"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform. \u00a0It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications. \u00a0OECH1 encodings should be considered exploitable and immediately replaced by any other supported prefix encoding, all of which are based on symmetric encryption.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div><div><span>The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform. &nbsp;It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications. &nbsp;OECH1 encodings should be considered exploitable and immediately replaced by any other supported prefix encoding, all of which are based on symmetric encryption.</span></div></div>"}]}], "references": [{"url": "https://community.progress.com/s/article/Unintended-Use-of-OECH1-for-Password-Secrets-Protection"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "UNREPORTED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "NOT_DEFINED", "valueDensity": "DIFFUSE", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "RED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/AU:Y/V:D/RE:M/U:Red"}}], "credits": [{"lang": "en", "value": "Thomas Riedmaier, Siemens Energy", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T13:53:38.003023Z", "id": "CVE-2025-8095", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:53:51.682Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8095", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T13:53:38.003023Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:53:45.475Z"}}], "cna": {"title": "Recoverable obfuscation using the OECH1 prefix encoding in OpenEdge", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Thomas Riedmaier, Siemens Energy"}], "impacts": [{"capecId": "CAPEC-21", "descriptions": [{"lang": "en", "value": "CAPEC-21 Exploitation of Trusted Identifiers"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.1, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/AU:Y/V:D/RE:M/U:Red", "exploitMaturity": "UNREPORTED", "providerUrgency": "RED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Progress Software Corporation", "modules": ["OpenEdge Platform Prefix Encodings"], "product": "OpenEdge", "versions": [{"status": "affected", "version": "12.2.0", "versionType": "custom", "lessThanOrEqual": "12.2.18"}, {"status": "affected", "version": "12.8.0", "versionType": "custom", "lessThanOrEqual": "12.8.9"}], "platforms": ["Windows", "Linux", "64 bit", "32 bit"], "defaultStatus": "affected"}], "references": [{"url": "https://community.progress.com/s/article/Unintended-Use-of-OECH1-for-Password-Secrets-Protection"}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform. \u00a0It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications. \u00a0OECH1 encodings should be considered exploitable and immediately replaced by any other supported prefix encoding, all of which are based on symmetric encryption.", "supportingMedia": [{"type": "text/html", "value": "<div><div><span>The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform. &nbsp;It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications. &nbsp;OECH1 encodings should be considered exploitable and immediately replaced by any other supported prefix encoding, all of which are based on symmetric encryption.</span></div></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-257", "description": "CWE-257"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2026-04-14T13:13:43.739Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8095", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:53:51.682Z", "dateReserved": "2025-07-23T16:36:12.176Z", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "datePublished": "2026-04-14T13:13:43.739Z", "assignerShortName": "ProgressSoftware"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform. \u00a0It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications. \u00a0OECH1 encodings should be considered exploitable and immediately replaced by any other supported prefix encoding, all of which are based on symmetric encryption."}], "id": "CVE-2025-8095", "lastModified": "2026-04-14T14:16:11.237", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "RED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:D/RE:M/U:Red", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "source": "security@progress.com", "type": "Secondary"}]}, "published": "2026-04-14T14:16:11.237", "references": [{"source": "security@progress.com", "url": "https://community.progress.com/s/article/Unintended-Use-of-OECH1-for-Password-Secrets-Protection"}], "sourceIdentifier": "security@progress.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-257"}], "source": "security@progress.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows", "linux", "64_bit", "32_bit"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.2.0,12.2.18]"}}, {"platform": ["windows", "linux", "64_bit", "32_bit"], "status": "affected", "versions": {"scheme": "semver", "value": "[12.8.0,12.8.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "OpenEdge", "source": "cna", "vendor": "Progress Software Corporation"}, "product": "openedge", "vendor": "progress_software_corporation"}], "analysis": {"en": {"generated_at": "2026-04-14T14:35:31.115166+00:00", "value": {"mitigation_remediation": ["Replace OECH1 prefix encoding with any supported secure prefix encoding based on symmetric encryption.", "Re\u2011encode all existing values that currently use OECH1 to the new secure format.", "Verify the OpenEdge application no longer references OECH1 anywhere in configuration or code.", "If any credentials or secrets were exposed, rotate them immediately and update all affected systems.", "Review database access controls to limit read access to sensitive data during remediation."], "summary": {"action": "Immediate Patch", "impact": "Sensitive data exposure"}, "threat_synthesis": {"affected_systems": "The flaw affects Progress Software Corporation's OpenEdge platform. All instances that rely on OECH1 prefix encoding for protecting values are susceptible. No specific version details are supplied, so any OpenEdge deployment using OECH1 should be considered at risk.", "description_and_impact": "The vulnerability arises from the OECH1 prefix encoding, designed for obfuscation but found to be cryptographically weak. Because of this weakness, any values encoded with OECH1\u2014including credentials and secrets\u2014can be retrieved by attackers who can analyze the encoded data. This can lead to exposure of sensitive data, such as passwords, compromising account integrity and system confidentiality.", "risk_and_exploitability": "The CVSS score of 9.1 indicates a critical severity, reflecting a serious risk when the encoding is used. The EPSS score is not available, but the lack of KEV listing suggests it is not yet widely exploited. Inferred, the likely attack vector involves an adversary with read access to the database or configuration files that contain OECH1-encoded data, enabling them to decode and recover the original values. The vulnerability does not require special privileges beyond access to stored data, making it both highly impactful and relatively easy to exploit if access is obtained."}}}}, "created": "2026-04-14T16:15:32.554195+00:00", "updated": "2026-04-14T16:30:29.915454+00:00", "vendors": ["progress_software_corporation", "progress_software_corporation$PRODUCT$openedge"]}