CVE-2025-69783

A local attacker can bypass OpenEDR's 2.5.1.0 self-defense mechanism by renaming a malicious executable to match a trusted process name (e.g., csrss.exe, edrsvc.exe, edrcon.exe). This allows unauthorized interaction with the OpenEDR kernel driver, granting access to privileged functionality such as configuration changes, process monitoring, and IOCTL communication that should be restricted to trusted components. While this issue alone does not directly grant SYSTEM privileges, it breaks OpenEDR's trust model and enables further exploitation leading to full local privilege escalation.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/ComodoSecurity/openedr	Product
https://github.com/ComodoSecurity/openedr/issues/49	Issue Tracking Third Party Advisory
https://scavengersecurity.com/posts/edr-as-rootkit-2/	Exploit Third Party Advisory
https://www.openedr.com/	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:xcitium:openedr:2.5.1.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-16 16:16

Updated : 2026-03-20 13:55

NVD link : CVE-2025-69783

Mitre link : CVE-2025-69783

CVE.ORG link : CVE-2025-69783

JSON object : View

Products Affected

xcitium

openedr

CWE

CWE-250

Execution with Unnecessary Privileges

{"id": "CVE-2025-69783", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-03-16T16:16:13.333", "references": [{"url": "https://github.com/ComodoSecurity/openedr", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://github.com/ComodoSecurity/openedr/issues/49", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://scavengersecurity.com/posts/edr-as-rootkit-2/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.openedr.com/", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-250"}]}], "descriptions": [{"lang": "en", "value": "A local attacker can bypass OpenEDR's 2.5.1.0 self-defense mechanism by renaming a malicious executable to match a trusted process name (e.g., csrss.exe, edrsvc.exe, edrcon.exe). This allows unauthorized interaction with the OpenEDR kernel driver, granting access to privileged functionality such as configuration changes, process monitoring, and IOCTL communication that should be restricted to trusted components. While this issue alone does not directly grant SYSTEM privileges, it breaks OpenEDR's trust model and enables further exploitation leading to full local privilege escalation."}, {"lang": "es", "value": "Un atacante local puede eludir el mecanismo de autodefensa 2.5.1.0 de OpenEDR al renombrar un ejecutable malicioso para que coincida con el nombre de un proceso de confianza (p. ej., 'csrss.exe', 'edrsvc.exe', 'edrcon.exe'). Esto permite la interacci\u00f3n no autorizada con el controlador de kernel de OpenEDR, otorgando acceso a funcionalidades privilegiadas como cambios de configuraci\u00f3n, monitoreo de procesos y comunicaci\u00f3n IOCTL que deber\u00eda estar restringida a componentes de confianza. Si bien este problema por s\u00ed solo no otorga directamente privilegios de SYSTEM, rompe el modelo de confianza de OpenEDR y permite una explotaci\u00f3n adicional que conduce a una escalada de privilegios local completa."}], "lastModified": "2026-03-20T13:55:32.240", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xcitium:openedr:2.5.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C2BE1711-EE54-4E5D-A6CD-40033932443C"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}