Cyber Resilience

CVE-2025-69689

HighLPE

Published: 27 April 2026

Published
27 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0010 1.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-69689 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Getfancontrol (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-69689, published on 2026-04-27T18:16:53.160, is an improper privilege handling vulnerability (CWE-269) in the Fan Control application version V251. The issue resides in the application's Open File Dialog, which processes user-supplied paths using elevated permissions. This flaw has a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.

A local attacker with low privileges (PR:L) can exploit the vulnerability with low complexity and no user interaction required. By providing malicious paths to the Open File Dialog, the attacker can execute arbitrary actions under administrator-level privileges, achieving high-scope privilege escalation on the affected system.

Mitigation details and related advisories are available through the following references: https://getfancontrol.com, https://gist.github.com/ahrixia/7c89bb3f1af6e85aeedde5ddb557a529, https://github.com/Rem0o/FanControl.Releases, and https://github.com/Rem0o/FanControl.Releases/releases/tag/V251. Security practitioners should consult these sources for patch information and remediation guidance specific to Fan Control V251.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Fan Control application V251 contains an improper privilege handling vulnerability in its Open File Dialog. The dialog processes user-supplied paths with elevated permissions, which can be exploited by a local attacker to perform actions with administrator-level privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct local privilege escalation via improper elevated handling of user-supplied paths in Open File Dialog (CWE-269).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23896Shared CWE-269
CVE-2025-27639Shared CWE-269
CVE-2025-8899Shared CWE-269
CVE-2025-26705Shared CWE-269
CVE-2015-10139Shared CWE-269
CVE-2026-8972Shared CWE-269
CVE-2025-0893Shared CWE-269
CVE-2026-6769Shared CWE-269
CVE-2025-2858Shared CWE-269
CVE-2025-48613Shared CWE-269

Affected Assets

Getfancontrol
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces the least privilege principle, preventing the Fan Control application's Open File Dialog from processing user-supplied paths with unnecessary elevated administrator permissions.

prevent

Mandates enforcement of approved access control policies, ensuring user-supplied paths in the Open File Dialog do not allow unauthorized privilege escalation actions.

prevent

Requires validation of user-supplied inputs such as paths, blocking malicious paths from exploitation in the elevated Open File Dialog.

References