CVE-2025-8095

The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform. It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications. OECH1 encodings should be considered exploitable and immediately replaced by any other supported prefix encoding, all of which are based on symmetric encryption.

CVSS

No CVSS.

References

Link	Resource
https://community.progress.com/s/article/Unintended-Use-of-OECH1-for-Password-Secrets-Protection

Configurations

No configuration.

History

14 Apr 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-14 14:16

Updated : 2026-04-17 15:24

NVD link : CVE-2025-8095

Mitre link : CVE-2025-8095

CVE.ORG link : CVE-2025-8095

JSON object : View

Products Affected

No product.

CWE

CWE-257

Storing Passwords in a Recoverable Format

{"id": "CVE-2025-8095", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security@progress.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.1, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:D/RE:M/U:Red", "exploitMaturity": "UNREPORTED", "providerUrgency": "RED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-14T14:16:11.237", "references": [{"url": "https://community.progress.com/s/article/Unintended-Use-of-OECH1-for-Password-Secrets-Protection", "source": "security@progress.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security@progress.com", "description": [{"lang": "en", "value": "CWE-257"}]}], "descriptions": [{"lang": "en", "value": "The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform. \u00a0It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications. \u00a0OECH1 encodings should be considered exploitable and immediately replaced by any other supported prefix encoding, all of which are based on symmetric encryption."}], "lastModified": "2026-04-17T15:24:57.753", "sourceIdentifier": "security@progress.com"}

CVE-2025-8095

JSON object

Attach tags to CVE-2025-8095

Attach tags to `CVE-2025-8095`