OpenEDR 2.5.1.0: Local attacker can rename malicious executable to evade protection

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

OpenEDR 2.5.1.0: Local attacker can rename malicious executable to evade protection

CVE-2025-69783

Summary

A local attacker with malicious intent can rename a malicious file to mimic a trusted system process, potentially allowing them to access sensitive features of OpenEDR. This is a significant concern as it compromises the trust model and could lead to further exploitation, ultimately granting the attacker full control over the system. To mitigate this risk, ensure that OpenEDR is updated to the latest version and implement robust security measures to prevent unauthorized access to system processes.

Original title

Original description

A local attacker can bypass OpenEDR's 2.5.1.0 self-defense mechanism by renaming a malicious executable to match a trusted process name (e.g., csrss.exe, edrsvc.exe, edrcon.exe). This allows unauthorized interaction with the OpenEDR kernel driver, granting access to privileged functionality such as configuration changes, process monitoring, and IOCTL communication that should be restricted to trusted components. While this issue alone does not directly grant SYSTEM privileges, it breaks OpenEDR's trust model and enables further exploitation leading to full local privilege escalation.

Published: 16 Mar 2026 · Updated: 16 Mar 2026 · First seen: 16 Mar 2026