CVE-2025-69784 in OpenEDR
Summary
by MITRE • 03/16/2026
A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path used by the product. By redirecting this path to a user-writable location, an attacker can cause OpenEDR to load an attacker-controlled DLL into high-privilege processes. This results in arbitrary code execution with SYSTEM privileges, leading to full compromise of the affected system.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified as CVE-2025-69784 represents a critical privilege escalation flaw within the OpenEDR security solution version 2.5.1.0. This issue manifests through a poorly secured IOCTL (Input/Output Control) interface exposed by the kernel driver component of the software. The vulnerability affects systems where OpenEDR is installed and running with elevated privileges, creating a pathway for local attackers to exploit the driver's interface and gain unauthorized access to system resources. The flaw stems from inadequate input validation and privilege checking mechanisms within the kernel driver's implementation, allowing unauthorized modification of critical system paths.
The technical exploitation of this vulnerability relies on the attacker's ability to interact with the vulnerable IOCTL interface without requiring administrative privileges. Through careful manipulation of the interface parameters, an attacker can redirect the DLL injection path that OpenEDR uses to load its components. This redirection targets a user-writable location that the attacker controls, effectively allowing the attacker to specify which DLL should be loaded into high-privilege processes. The vulnerability specifically exploits the trust relationship between the kernel driver and the DLL loading mechanism, where the system assumes that the specified paths are legitimate and secure.
The operational impact of this vulnerability is severe and far-reaching, as it enables a local attacker to achieve full system compromise through arbitrary code execution with SYSTEM privileges. Once the attacker successfully modifies the DLL injection path, the OpenEDR driver will load the attacker-controlled DLL into processes running at the highest privilege level, effectively bypassing standard security controls and user access restrictions. This privilege escalation allows the attacker to access sensitive system information, modify critical system files, establish persistent backdoors, and potentially exfiltrate data from the compromised system. The vulnerability essentially transforms a local user account into a SYSTEM-level attacker with unrestricted access to the entire system.
The attack vector for this vulnerability aligns with the MITRE ATT&CK framework under the privilege escalation category, specifically targeting techniques such as DLL injection and kernel driver exploitation. This weakness corresponds to CWE-787: Out-of-bounds Write, as the driver fails to properly validate the target path before modification, and CWE-20: Improper Input Validation, since the IOCTL interface does not adequately sanitize user-provided parameters. The vulnerability also reflects poor security practices related to kernel driver development, particularly in how the driver handles privilege checking and path validation. Organizations should consider implementing runtime protection mechanisms and monitoring for suspicious DLL loading activities as part of their defense-in-depth strategy. Immediate mitigation efforts should focus on patching the affected OpenEDR version, implementing network segmentation to limit local access, and monitoring for unusual DLL injection patterns that may indicate exploitation attempts.