CVE-2025-69784

HighPublic PoC

Published: 16 March 2026

Published

16 March 2026

Modified

20 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0002 6.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69784 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Xcitium Openedr. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through patching the OpenEDR kernel driver directly eliminates the vulnerable IOCTL interface allowing path modification.

AC-6 Least Privilege good match

prevent

Enforces least privilege to block non-privileged local users from accessing the exposed IOCTL used to modify the DLL injection path.

SI-10 Information Input Validation good match

prevent

Validates IOCTL inputs to prevent setting the DLL injection path to attacker-controlled, user-writable locations.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1574.002 DLL Side-Loading Stealth

Adversaries may execute their own malicious payloads by side-loading DLLs.

attack.mitre.org →

Why these techniques?

Vulnerable IOCTL enables path redirection for attacker DLL load into privileged processes (DLL side-loading) resulting in local privilege escalation to SYSTEM.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path used by the product. By redirecting this path to a user-writable location, an attacker can cause OpenEDR…

to load an attacker-controlled DLL into high-privilege processes. This results in arbitrary code execution with SYSTEM privileges, leading to full compromise of the affected system.

Deeper analysisAI

CVE-2025-69784 is a vulnerability in the OpenEDR 2.5.1.0 kernel driver, where a vulnerable IOCTL interface allows modification of the product's DLL injection path. Published on 2026-03-16, it is rated 8.8 on the CVSS v3.1 scale (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-427 (Untrusted Search Path). By exploiting this interface, an attacker redirects the path to a user-writable location, causing OpenEDR to load an attacker-controlled DLL into high-privilege processes.

A local, non-privileged attacker can exploit this vulnerability to achieve arbitrary code execution with SYSTEM privileges, leading to full system compromise. The low attack complexity and lack of user interaction requirements make it straightforward for an authenticated low-privilege user on the system to trigger the issue and elevate privileges.

Mitigation details, advisories, and patches are referenced in sources including https://gist.github.com/ikerl/c3ec81f12ded44c2e0ae2dfdacb562ba, https://github.com/ComodoSecurity/openedr, https://github.com/ComodoSecurity/openedr/issues/49, https://scavengersecurity.com/posts/edr-as-rootkit-2/, and https://www.openedr.com/. Security practitioners should consult these for update instructions and workarounds.