CVE-2025-69784 - Vulnerability Details

- Local Vulnerable IOCTL Enables DLL Injection for SYSTEM Privilege Escalation

Description

A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path used by the product. By redirecting this path to a user-writable location, an attacker can cause OpenEDR to load an attacker-controlled DLL into high-privilege processes. This results in arbitrary code execution with SYSTEM privileges, leading to full compromise of the affected system.

Published: 2026-03-16

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An attacker with only local, non‑privileged access can exploit a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver. By altering the DLL injection path to a user‑writable location, the attacker causes OpenEDR to load a malicious DLL into processes that run with SYSTEM privileges. This leads to arbitrary code execution with full system rights, allowing the attacker to read, modify, or delete data and disable services.

Affected Systems

The vulnerability affects the OpenEDR product, specifically version 2.5.1.0. No additional vendor or product details are supplied by the CNA.

Risk and Exploitability

The CVSS score of 8.8 classifies the flaw as high severity. The EPSS score of less than 1% indicates a low probability of exploitation in the wild. The issue is not listed in the CISA KEV catalog. Exploitation requires local interaction with the kernel driver, and the path‑redirection weakness (CWE‑427) makes the attack straightforward once the vulnerable IOCTL call can be invoked.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:xcitium:openedr:2.5.1.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Comodosecurity

Openedr

95%

Version	Status	Scheme	Platform
`2.5.1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest OpenEDR update that fixes the IOCTL path modification flaw.
If no patch is available, limit local access to the OpenEDR kernel driver by tightening ownership and permissions or disabling the vulnerable IOCTL interface if possible.
As a temporary safeguard, implement application whitelisting or DLL search order hardening to block the loading of attacker‑controlled DLLs.

Generated by OpenCVE AI on March 20, 2026 at 15:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00021.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://gist.github.com/ikerl/c3ec81f12ded44c2e0ae2dfdacb562ba
https://github.com/ComodoSecurity/openedr
https://github.com/ComodoSecurity/openedr/issues/49
https://scavengersecurity.com/posts/edr-as-rootkit-2/
https://www.openedr.com/

History

Tue, 24 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Title		Local Vulnerable IOCTL Enables DLL Injection for SYSTEM Privilege Escalation

Fri, 20 Mar 2026 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xcitium Xcitium openedr
CPEs		cpe:2.3:a:xcitium:openedr:2.5.1.0:::::::*
Vendors & Products		Xcitium Xcitium openedr

Tue, 17 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Comodosecurity Comodosecurity openedr
Vendors & Products		Comodosecurity Comodosecurity openedr

Mon, 16 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-427
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 16 Mar 2026 16:00:00 +0000

Type	Values Removed	Values Added
Description		A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path used by the product. By redirecting this path to a user-writable location, an attacker can cause OpenEDR to load an attacker-controlled DLL into high-privilege processes. This results in arbitrary code execution with SYSTEM privileges, leading to full compromise of the affected system.
References		https://gist.github.com/ikerl/c3ec81f12ded44c2e0ae2dfdacb562ba https://github.com/ComodoSecurity/openedr https://github.com/ComodoSecurity/openedr/issues/49 https://scavengersecurity.com/posts/edr-as-rootkit-2/ https://www.openedr.com/

Subscriptions

Comodosecurity Openedr

Xcitium Openedr

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-03-16T00:00:00.000Z

Updated: 2026-03-16T18:52:07.059Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-69784

Vulnrichment

Updated: 2026-03-16T18:49:49.797Z

NVD

Status : Analyzed

Published: 2026-03-16T16:16:13.460

Modified: 2026-03-20T13:51:52.123

Link: CVE-2025-69784

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-23T14:00:53Z

Weaknesses

CWE-427

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object