Executive Summary

CVE-2025-69784 is a local privilege escalation vulnerability in the OpenEDR 2.5.1.0 kernel driver. A non-privileged attacker can exploit a vulnerable IOCTL interface exposed by the driver to modify the DLL injection path used by OpenEDR. By redirecting this path to a location writable by the attacker, the attacker can cause OpenEDR to load a malicious DLL into high-privilege processes.

This leads to arbitrary code execution with SYSTEM privileges, effectively allowing the attacker to fully compromise the affected system.

The exploit involves sending specially crafted IOCTL requests to the driver to disable protections and inject a malicious DLL path using directory traversal sequences.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a local attacker to escalate their privileges to SYSTEM level by injecting a malicious DLL into high-privilege processes.

As a result, the attacker gains full control over the affected system, which can lead to unauthorized access, data theft, system manipulation, and potentially complete system compromise.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for unusual or unauthorized IOCTL calls to the OpenEDR kernel driver, especially those that modify the DLL injection path.'}, {'type': 'paragraph', 'content': 'One way to detect exploitation attempts is to monitor for the presence of device handles opened to the driver named CMD_ERDDRV_IOCTLDEVICE_WIN32_NAME and IOCTL commands such as CMD_ERDDRV_IOCTL_SET_CONFIG being sent with suspicious payloads.'}, {'type': 'paragraph', 'content': 'On a Windows system, you can use tools like Sysinternals Process Monitor (Procmon) to filter for operations involving the OpenEDR driver device or use custom scripts to detect IOCTL calls.'}, {'type': 'paragraph', 'content': 'Example commands or approaches include:'}, {'type': 'list_item', 'content': 'Use Procmon to filter for CreateFile or DeviceIoControl calls targeting the OpenEDR driver device.'}, {'type': 'list_item', 'content': 'Use PowerShell or C++ code to enumerate handles and detect if the device name CMD_ERDDRV_IOCTLDEVICE_WIN32_NAME is opened.'}, {'type': 'list_item', 'content': "Monitor for changes in the DLL injection path configuration by inspecting the driver's configuration if possible."}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable IOCTL interface exposed by the OpenEDR kernel driver to prevent non-privileged users from sending crafted IOCTL requests.

Ensure that only trusted and privileged processes can interact with the driver device to prevent unauthorized configuration changes.

If possible, update or patch the OpenEDR product to a version where this vulnerability is fixed.

As a temporary workaround, monitor and block suspicious IOCTL commands that attempt to modify the DLL injection path.

Additionally, verify the integrity of DLL paths used by OpenEDR and restrict write permissions on directories that could be used for DLL injection.

Useful 0 Not Useful 0