Cyber Resilience

CVE-2025-69784

HighPublic PoC

Published: 16 March 2026

Published
16 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0018 7.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-69784 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Xcitium Openedr. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-69784 is a vulnerability in the OpenEDR 2.5.1.0 kernel driver, where a vulnerable IOCTL interface allows modification of the product's DLL injection path. Published on 2026-03-16, it is rated 8.8 on the CVSS v3.1 scale (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-427 (Untrusted Search Path). By exploiting this interface, an attacker redirects the path to a user-writable location, causing OpenEDR to load an attacker-controlled DLL into high-privilege processes.

A local, non-privileged attacker can exploit this vulnerability to achieve arbitrary code execution with SYSTEM privileges, leading to full system compromise. The low attack complexity and lack of user interaction requirements make it straightforward for an authenticated low-privilege user on the system to trigger the issue and elevate privileges.

Mitigation details, advisories, and patches are referenced in sources including https://gist.github.com/ikerl/c3ec81f12ded44c2e0ae2dfdacb562ba, https://github.com/ComodoSecurity/openedr, https://github.com/ComodoSecurity/openedr/issues/49, https://scavengersecurity.com/posts/edr-as-rootkit-2/, and https://www.openedr.com/. Security practitioners should consult these for update instructions and workarounds.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path used by the product. By redirecting this path to a user-writable location, an attacker can cause OpenEDR…

more

to load an attacker-controlled DLL into high-privilege processes. This results in arbitrary code execution with SYSTEM privileges, leading to full compromise of the affected system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1574.001 DLL Stealth
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses.
Why these techniques?

Vulnerable IOCTL enables path redirection for attacker DLL load into privileged processes (DLL side-loading) resulting in local privilege escalation to SYSTEM.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-69783Same product: Xcitium Openedr
CVE-2026-7279Shared CWE-427
CVE-2024-9495Shared CWE-427
CVE-2026-24502Shared CWE-427
CVE-2024-9492Shared CWE-427
CVE-2024-55898Shared CWE-427
CVE-2024-10930Shared CWE-427
CVE-2024-9494Shared CWE-427
CVE-2025-65118Shared CWE-427
CVE-2024-55540Shared CWE-427

Affected Assets

xcitium
openedr
2.5.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through patching the OpenEDR kernel driver directly eliminates the vulnerable IOCTL interface allowing path modification.

prevent

Enforces least privilege to block non-privileged local users from accessing the exposed IOCTL used to modify the DLL injection path.

prevent

Validates IOCTL inputs to prevent setting the DLL injection path to attacker-controlled, user-writable locations.

References