CVE-2025-69689 - Vulnerability Details

- Local Privilege Escalation via Improper Path Handling in Fan Control Open File Dialog

Description

The Fan Control application V251 contains an improper privilege handling vulnerability in its Open File Dialog. The dialog processes user-supplied paths with elevated permissions, which can be exploited by a local attacker to perform actions with administrator-level privileges.

Published: 2026-04-27

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Fan Control application V251 allows a local user to supply a file path in the Open File Dialog that is processed with elevated permissions. This improper privilege handling enables the user to execute actions with administrator‑level access, effectively leaking administrative privileges to an otherwise non‑privileged user. The vulnerability is a classic example of CWE‑269, where privileged operations are performed by a process that may be exploited by a local adversary to compromise the confidentiality, integrity, and availability of the system.

Affected Systems

The affected product is the Fan Control application, specifically version V251. No vendor information is publicly available in the advisory, but the application is hosted on GitHub and appears to be a standalone desktop tool. Because the vulnerability is tied to a specific release, only installations of V251 are directly impacted; earlier or later versions may not contain the flaw, but the advisory does not provide explicit version ranges.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating high severity, and no EPSS score is provided, meaning its exploitation probability has not been quantified. It is not listed in CISA's KEV catalog. Based on the description, the likely attack vector is local, requiring the attacker to run the application and manipulate the file selection dialog. Once triggered, the elevated privileges granted by the application allow the attacker to perform arbitrary privileged actions without additional authentication.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Rem0o

Fan Control

80%

Version	Status	Scheme	Platform
`V251`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the most recent fan control release that addresses the privilege handling flaw.
Restrict local user accounts from launching the application or disable the Open File Dialog for non‑administrator users to limit potential exploitation.
Configure the operating system to enforce least privilege, ensuring the application runs with the minimal rights required and does not allow unrestricted file access even when the user supplies a path.

Generated by OpenCVE AI on April 28, 2026 at 13:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://getfancontrol.com
https://gist.github.com/ahrixia/7c89bb3f1af6e85aeedde5ddb557a529
https://github.com/Rem0o/FanControl.Releases
https://github.com/Rem0o/FanControl.Releases/releases/tag/V251

History

Tue, 28 Apr 2026 13:30:00 +0000

Type	Values Removed	Values Added
Title		Local Privilege Escalation via Improper Path Handling in Fan Control Open File Dialog

Tue, 28 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Rem0o Rem0o fan Control
Vendors & Products		Rem0o Rem0o fan Control

Mon, 27 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-269
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 27 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		The Fan Control application V251 contains an improper privilege handling vulnerability in its Open File Dialog. The dialog processes user-supplied paths with elevated permissions, which can be exploited by a local attacker to perform actions with administrator-level privileges.
References		https://getfancontrol.com https://gist.github.com/ahrixia/7c89bb3f1af6e85aeedde5ddb557a529 https://github.com/Rem0o/FanControl.Releases https://github.com/Rem0o/FanControl.Releases/releases/tag/V251

Subscriptions

Rem0o Fan Control

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-27T00:00:00.000Z

Updated: 2026-04-27T17:55:25.864Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-69689

Vulnrichment

Updated: 2026-04-27T17:52:34.722Z

NVD

Status : Awaiting Analysis

Published: 2026-04-27T18:16:53.160

Modified: 2026-04-27T18:57:20.293

Link: CVE-2025-69689

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T13:15:31Z

Weaknesses

CWE-269

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object