{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-69784", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-16T18:52:07.059Z", "dateReserved": "2026-01-09T00:00:00.000Z", "datePublished": "2026-03-16T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-16T15:40:15.852Z"}, "descriptions": [{"lang": "en", "value": "A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path used by the product. By redirecting this path to a user-writable location, an attacker can cause OpenEDR to load an attacker-controlled DLL into high-privilege processes. This results in arbitrary code execution with SYSTEM privileges, leading to full compromise of the affected system."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://scavengersecurity.com/posts/edr-as-rootkit-2/"}, {"url": "https://github.com/ComodoSecurity/openedr"}, {"url": "https://www.openedr.com/"}, {"url": "https://gist.github.com/ikerl/c3ec81f12ded44c2e0ae2dfdacb562ba"}, {"url": "https://github.com/ComodoSecurity/openedr/issues/49"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-427", "lang": "en", "description": "CWE-427 Uncontrolled Search Path Element"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T18:51:40.311839Z", "id": "CVE-2025-69784", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T18:52:07.059Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69784", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T18:51:40.311839Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-427", "description": "CWE-427 Uncontrolled Search Path Element"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T18:49:49.797Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://scavengersecurity.com/posts/edr-as-rootkit-2/"}, {"url": "https://github.com/ComodoSecurity/openedr"}, {"url": "https://www.openedr.com/"}, {"url": "https://gist.github.com/ikerl/c3ec81f12ded44c2e0ae2dfdacb562ba"}, {"url": "https://github.com/ComodoSecurity/openedr/issues/49"}], "descriptions": [{"lang": "en", "value": "A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path used by the product. By redirecting this path to a user-writable location, an attacker can cause OpenEDR to load an attacker-controlled DLL into high-privilege processes. This results in arbitrary code execution with SYSTEM privileges, leading to full compromise of the affected system."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-16T15:40:15.852Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69784", "state": "PUBLISHED", "dateUpdated": "2026-03-16T18:52:07.059Z", "dateReserved": "2026-01-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-16T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xcitium:openedr:2.5.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "C2BE1711-EE54-4E5D-A6CD-40033932443C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path used by the product. By redirecting this path to a user-writable location, an attacker can cause OpenEDR to load an attacker-controlled DLL into high-privilege processes. This results in arbitrary code execution with SYSTEM privileges, leading to full compromise of the affected system."}, {"lang": "es", "value": "Un atacante local y no privilegiado puede abusar de una interfaz IOCTL vulnerable expuesta por el controlador del kernel OpenEDR 2.5.1.0 para modificar la ruta de inyecci\u00f3n de DLL utilizada por el producto. Al redirigir esta ruta a una ubicaci\u00f3n escribible por el usuario, un atacante puede hacer que OpenEDR cargue una DLL controlada por el atacante en procesos de alto privilegio. Esto resulta en ejecuci\u00f3n de c\u00f3digo arbitrario con privilegios de SYSTEM, lo que lleva a un compromiso total del sistema afectado."}], "id": "CVE-2025-69784", "lastModified": "2026-03-20T13:51:52.123", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-16T16:16:13.460", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://gist.github.com/ikerl/c3ec81f12ded44c2e0ae2dfdacb562ba"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/ComodoSecurity/openedr"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/ComodoSecurity/openedr/issues/49"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://scavengersecurity.com/posts/edr-as-rootkit-2/"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.openedr.com/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.5.1.0"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "openedr", "vendor": "comodosecurity"}], "analysis": {"en": {"generated_at": "2026-03-20T15:55:31.794386+00:00", "value": {"mitigation_remediation": ["Apply the latest OpenEDR update that fixes the IOCTL path modification flaw.", "If no patch is available, limit local access to the OpenEDR kernel driver by tightening ownership and permissions or disabling the vulnerable IOCTL interface if possible.", "As a temporary safeguard, implement application whitelisting or DLL search order hardening to block the loading of attacker\u2011controlled DLLs."], "summary": {"action": "Immediate Patch", "impact": "SYSTEM Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the OpenEDR product, specifically version 2.5.1.0. No additional vendor or product details are supplied by the CNA.", "description_and_impact": "An attacker with only local, non\u2011privileged access can exploit a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver. By altering the DLL injection path to a user\u2011writable location, the attacker causes OpenEDR to load a malicious DLL into processes that run with SYSTEM privileges. This leads to arbitrary code execution with full system rights, allowing the attacker to read, modify, or delete data and disable services.", "risk_and_exploitability": "The CVSS score of 8.8 classifies the flaw as high severity. The EPSS score of less than 1% indicates a low probability of exploitation in the wild. The issue is not listed in the CISA KEV catalog. Exploitation requires local interaction with the kernel driver, and the path\u2011redirection weakness (CWE\u2011427) makes the attack straightforward once the vulnerable IOCTL call can be invoked."}}}}, "created": "2026-03-17T09:55:28.830479+00:00", "title": "Local Vulnerable IOCTL Enables DLL Injection for SYSTEM Privilege Escalation", "updated": "2026-03-23T14:00:53.551490+00:00", "vendors": ["comodosecurity", "comodosecurity$PRODUCT$openedr"]}