CVE-2025-69784

EUVD-2025-208751
A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path used by the product. By redirecting this path to a user-writable location, an attacker can cause OpenEDR to load an attacker-controlled DLL into high-privilege processes. This results in arbitrary code execution with SYSTEM privileges, leading to full compromise of the affected system.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
Affected Products (NVD)
VendorProductVersion
xcitiumopenedr
2.5.1.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://gist.github.com/ikerl/c3ec81f12ded44c2e0ae2dfdacb562ba
https://github.com/ComodoSecurity/openedr
https://github.com/ComodoSecurity/openedr/issues/49
https://scavengersecurity.com/posts/edr-as-rootkit-2/
https://www.openedr.com/