CVE-2025-69784

A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path used by the product. By redirecting this path to a user-writable location, an attacker can cause OpenEDR to load an attacker-controlled DLL into high-privilege processes. This results in arbitrary code execution with SYSTEM privileges, leading to full compromise of the affected system.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.0 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://gist.github.com/ikerl/c3ec81f12ded44c2e0ae2dfdacb562ba	Exploit
https://github.com/ComodoSecurity/openedr	Product
https://github.com/ComodoSecurity/openedr/issues/49	Issue Tracking Third Party Advisory
https://scavengersecurity.com/posts/edr-as-rootkit-2/	Exploit Third Party Advisory
https://www.openedr.com/	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:xcitium:openedr:2.5.1.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-16 16:16

Updated : 2026-03-20 13:51

NVD link : CVE-2025-69784

Mitre link : CVE-2025-69784

CVE.ORG link : CVE-2025-69784

JSON object : View

Products Affected

xcitium

openedr

CWE

CWE-427

Uncontrolled Search Path Element

{"id": "CVE-2025-69784", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.0}]}, "published": "2026-03-16T16:16:13.460", "references": [{"url": "https://gist.github.com/ikerl/c3ec81f12ded44c2e0ae2dfdacb562ba", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "https://github.com/ComodoSecurity/openedr", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://github.com/ComodoSecurity/openedr/issues/49", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://scavengersecurity.com/posts/edr-as-rootkit-2/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.openedr.com/", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-427"}]}], "descriptions": [{"lang": "en", "value": "A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path used by the product. By redirecting this path to a user-writable location, an attacker can cause OpenEDR to load an attacker-controlled DLL into high-privilege processes. This results in arbitrary code execution with SYSTEM privileges, leading to full compromise of the affected system."}, {"lang": "es", "value": "Un atacante local y no privilegiado puede abusar de una interfaz IOCTL vulnerable expuesta por el controlador del kernel OpenEDR 2.5.1.0 para modificar la ruta de inyecci\u00f3n de DLL utilizada por el producto. Al redirigir esta ruta a una ubicaci\u00f3n escribible por el usuario, un atacante puede hacer que OpenEDR cargue una DLL controlada por el atacante en procesos de alto privilegio. Esto resulta en ejecuci\u00f3n de c\u00f3digo arbitrario con privilegios de SYSTEM, lo que lleva a un compromiso total del sistema afectado."}], "lastModified": "2026-03-20T13:51:52.123", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xcitium:openedr:2.5.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C2BE1711-EE54-4E5D-A6CD-40033932443C"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}