Description
A local attacker can bypass OpenEDR's 2.5.1.0 self-defense mechanism by renaming a malicious executable to match a trusted process name (e.g., csrss.exe, edrsvc.exe, edrcon.exe). This allows unauthorized interaction with the OpenEDR kernel driver, granting access to privileged functionality such as configuration changes, process monitoring, and IOCTL communication that should be restricted to trusted components. While this issue alone does not directly grant SYSTEM privileges, it breaks OpenEDR's trust model and enables further exploitation leading to full local privilege escalation.
Published: 2026-03-16
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Patch
AI Analysis

Impact

The vulnerability permits a local attacker to bypass OpenEDR 2.5.1.0’s self‑defense mechanism by renaming a malicious executable to a trusted process name such as csrss.exe, edrsvc.exe, or edrcon.exe. This trick enables the attacker to interact with the OpenEDR kernel driver and invoke privileged API calls—including configuration changes, process monitoring, and IOCTL communication—that are intended to be restricted to trusted components. Although this alone does not grant SYSTEM privileges, it breaks the trust model and can facilitate further exploitation that may lead to full local privilege escalation.

Affected Systems

Affected system: Xcitium OpenEDR version 2.5.1.0 as identified by the CPE string cpe:2.3:a:xcitium:openedr:2.5.1.0:*:*:*:*:*:*.*

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, but the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The issue is not listed in the CISA KEV catalog. Attackers would need local access and the ability to place or rename a file on the system, which is a common privilege escalation scenario for a local threat actor. The risk is significant for environments relying on OpenEDR’s self‑defense to enforce component trust boundaries.

Generated by OpenCVE AI on March 20, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available OpenEDR update or patch if released.
  • If no update is available, revoke local user privileges that allow execution of new files and enforce strict controls on executable naming conventions.
  • Monitor the system for processes bearing names of trusted components that are not legitimate and investigate promptly.
  • If the vendor has not patched the issue, consider hardening the kernel driver access or disabling it for untrusted executables until a fix is available.

Generated by OpenCVE AI on March 20, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Title OpenEDR Local Self‑Defense Bypass Leading to Privilege Escalation

Fri, 20 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Xcitium
Xcitium openedr
CPEs cpe:2.3:a:xcitium:openedr:2.5.1.0:*:*:*:*:*:*:*
Vendors & Products Xcitium
Xcitium openedr

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-250
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Comodosecurity
Comodosecurity openedr
Vendors & Products Comodosecurity
Comodosecurity openedr

Mon, 16 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description A local attacker can bypass OpenEDR's 2.5.1.0 self-defense mechanism by renaming a malicious executable to match a trusted process name (e.g., csrss.exe, edrsvc.exe, edrcon.exe). This allows unauthorized interaction with the OpenEDR kernel driver, granting access to privileged functionality such as configuration changes, process monitoring, and IOCTL communication that should be restricted to trusted components. While this issue alone does not directly grant SYSTEM privileges, it breaks OpenEDR's trust model and enables further exploitation leading to full local privilege escalation.
References

Subscriptions

Comodosecurity Openedr
Xcitium Openedr
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-17T13:54:12.332Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-69783

cve-icon Vulnrichment

Updated: 2026-03-17T13:54:03.696Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T16:16:13.333

Modified: 2026-03-20T13:55:32.240

Link: CVE-2025-69783

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:00:54Z

Weaknesses