CVE-2025-69784
IOCTL Path Manipulation in OpenEDR Driver Enables SYSTEM Code Execution
Publication date: 2026-03-16
Last updated on: 2026-03-20
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xcitium | openedr | 2.5.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-427 | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-69784 is a local privilege escalation vulnerability in the OpenEDR 2.5.1.0 kernel driver. A non-privileged attacker can exploit a vulnerable IOCTL interface exposed by the driver to modify the DLL injection path used by OpenEDR. By redirecting this path to a location writable by the attacker, the attacker can cause OpenEDR to load a malicious DLL into high-privilege processes.
This leads to arbitrary code execution with SYSTEM privileges, effectively allowing the attacker to fully compromise the affected system.
The exploit involves sending specially crafted IOCTL requests to the driver to disable protections and inject a malicious DLL path using directory traversal sequences.
How can this vulnerability impact me? :
This vulnerability allows a local attacker to escalate their privileges to SYSTEM level by injecting a malicious DLL into high-privilege processes.
As a result, the attacker gains full control over the affected system, which can lead to unauthorized access, data theft, system manipulation, and potentially complete system compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for unusual or unauthorized IOCTL calls to the OpenEDR kernel driver, especially those that modify the DLL injection path.'}, {'type': 'paragraph', 'content': 'One way to detect exploitation attempts is to monitor for the presence of device handles opened to the driver named CMD_ERDDRV_IOCTLDEVICE_WIN32_NAME and IOCTL commands such as CMD_ERDDRV_IOCTL_SET_CONFIG being sent with suspicious payloads.'}, {'type': 'paragraph', 'content': 'On a Windows system, you can use tools like Sysinternals Process Monitor (Procmon) to filter for operations involving the OpenEDR driver device or use custom scripts to detect IOCTL calls.'}, {'type': 'paragraph', 'content': 'Example commands or approaches include:'}, {'type': 'list_item', 'content': 'Use Procmon to filter for CreateFile or DeviceIoControl calls targeting the OpenEDR driver device.'}, {'type': 'list_item', 'content': 'Use PowerShell or C++ code to enumerate handles and detect if the device name CMD_ERDDRV_IOCTLDEVICE_WIN32_NAME is opened.'}, {'type': 'list_item', 'content': "Monitor for changes in the DLL injection path configuration by inspecting the driver's configuration if possible."}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable IOCTL interface exposed by the OpenEDR kernel driver to prevent non-privileged users from sending crafted IOCTL requests.
Ensure that only trusted and privileged processes can interact with the driver device to prevent unauthorized configuration changes.
If possible, update or patch the OpenEDR product to a version where this vulnerability is fixed.
As a temporary workaround, monitor and block suspicious IOCTL commands that attempt to modify the DLL injection path.
Additionally, verify the integrity of DLL paths used by OpenEDR and restrict write permissions on directories that could be used for DLL injection.