CVE-2025-69783
Published: 16 March 2026
Summary
CVE-2025-69783 is a high-severity Execution with Unnecessary Privileges (CWE-250) vulnerability in Xcitium Openedr. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Match Legitimate Resource Name or Location (T1036.005); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Implements a tamper-resistant reference monitor to enforce access control policies on kernel driver interactions, preventing spoofed processes from bypassing OpenEDR's name-based self-defense.
Requires timely remediation of the specific flaw in OpenEDR 2.5.1.0 that allows process name spoofing to access privileged kernel driver functions.
Enforces approved authorizations for all access to OpenEDR kernel driver resources, blocking unauthorized IOCTL communications from spoofed executables.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct process name spoofing to bypass EDR self-defense maps to masquerading and impairing defenses.
NVD Description
A local attacker can bypass OpenEDR's 2.5.1.0 self-defense mechanism by renaming a malicious executable to match a trusted process name (e.g., csrss.exe, edrsvc.exe, edrcon.exe). This allows unauthorized interaction with the OpenEDR kernel driver, granting access to privileged functionality such as…
more
configuration changes, process monitoring, and IOCTL communication that should be restricted to trusted components. While this issue alone does not directly grant SYSTEM privileges, it breaks OpenEDR's trust model and enables further exploitation leading to full local privilege escalation.
Deeper analysisAI
CVE-2025-69783 is a vulnerability in OpenEDR version 2.5.1.0 that allows a local attacker to bypass the product's self-defense mechanism. By renaming a malicious executable to match a trusted process name, such as csrss.exe, edrsvc.exe, or edrcon.exe, the attacker can spoof a legitimate component and gain unauthorized interaction with the OpenEDR kernel driver. This exposes privileged functionality, including configuration changes, process monitoring, and IOCTL communication, which is intended to be restricted to trusted components only.
A local attacker with low privileges (as indicated by the CVSS vector AV:L/AC:L/PR:L) can exploit this issue to break OpenEDR's trust model. While the vulnerability alone does not directly confer SYSTEM privileges, it enables further local privilege escalation by allowing access to sensitive driver operations. The issue carries a CVSS v3.1 base score of 7.8 (High), with impacts on confidentiality, integrity, and availability rated high, and is classified under CWE-250.
Advisories and additional details, including potential patches or mitigation guidance, are available in the OpenEDR GitHub repository at https://github.com/ComodoSecurity/openedr, the related issue tracker at https://github.com/ComodoSecurity/openedr/issues/49, a security analysis at https://scavengersecurity.com/posts/edr-as-rootkit-2/, and the official site https://www.openedr.com/. The CVE was published on 2026-03-16.
Details
- CWE(s)