CVE-2025-69783

{"id": "CVE-2025-69783", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-03-16T16:16:13.333", "references": [{"url": "https://github.com/ComodoSecurity/openedr", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://github.com/ComodoSecurity/openedr/issues/49", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://scavengersecurity.com/posts/edr-as-rootkit-2/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.openedr.com/", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-250"}]}], "descriptions": [{"lang": "en", "value": "A local attacker can bypass OpenEDR's 2.5.1.0 self-defense mechanism by renaming a malicious executable to match a trusted process name (e.g., csrss.exe, edrsvc.exe, edrcon.exe). This allows unauthorized interaction with the OpenEDR kernel driver, granting access to privileged functionality such as configuration changes, process monitoring, and IOCTL communication that should be restricted to trusted components. While this issue alone does not directly grant SYSTEM privileges, it breaks OpenEDR's trust model and enables further exploitation leading to full local privilege escalation."}, {"lang": "es", "value": "Un atacante local puede eludir el mecanismo de autodefensa 2.5.1.0 de OpenEDR al renombrar un ejecutable malicioso para que coincida con el nombre de un proceso de confianza (p. ej., 'csrss.exe', 'edrsvc.exe', 'edrcon.exe'). Esto permite la interacci\u00f3n no autorizada con el controlador de kernel de OpenEDR, otorgando acceso a funcionalidades privilegiadas como cambios de configuraci\u00f3n, monitoreo de procesos y comunicaci\u00f3n IOCTL que deber\u00eda estar restringida a componentes de confianza. Si bien este problema por s\u00ed solo no otorga directamente privilegios de SYSTEM, rompe el modelo de confianza de OpenEDR y permite una explotaci\u00f3n adicional que conduce a una escalada de privilegios local completa."}], "lastModified": "2026-03-20T13:55:32.240", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xcitium:openedr:2.5.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C2BE1711-EE54-4E5D-A6CD-40033932443C"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}