CVE-2025-69689
Published: 27 April 2026
Summary
CVE-2025-69689 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Getfancontrol (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-69689, published on 2026-04-27T18:16:53.160, is an improper privilege handling vulnerability (CWE-269) in the Fan Control application version V251. The issue resides in the application's Open File Dialog, which processes user-supplied paths using elevated permissions. This flaw has a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.
A local attacker with low privileges (PR:L) can exploit the vulnerability with low complexity and no user interaction required. By providing malicious paths to the Open File Dialog, the attacker can execute arbitrary actions under administrator-level privileges, achieving high-scope privilege escalation on the affected system.
Mitigation details and related advisories are available through the following references: https://getfancontrol.com, https://gist.github.com/ahrixia/7c89bb3f1af6e85aeedde5ddb557a529, https://github.com/Rem0o/FanControl.Releases, and https://github.com/Rem0o/FanControl.Releases/releases/tag/V251. Security practitioners should consult these sources for patch information and remediation guidance specific to Fan Control V251.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-209578
Vulnerability details
The Fan Control application V251 contains an improper privilege handling vulnerability in its Open File Dialog. The dialog processes user-supplied paths with elevated permissions, which can be exploited by a local attacker to perform actions with administrator-level privileges.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct local privilege escalation via improper elevated handling of user-supplied paths in Open File Dialog (CWE-269).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces the least privilege principle, preventing the Fan Control application's Open File Dialog from processing user-supplied paths with unnecessary elevated administrator permissions.
Mandates enforcement of approved access control policies, ensuring user-supplied paths in the Open File Dialog do not allow unauthorized privilege escalation actions.
Requires validation of user-supplied inputs such as paths, blocking malicious paths from exploitation in the elevated Open File Dialog.