Exploitation for Priv-Esc × Comodo Security OpenEDR 2.5.1.0

A publicly-reported instance of Exploitation for Priv-Esc bypassing Comodo Security OpenEDR 2.5.1.0, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Comodo Security OpenEDR 2.5.1.0

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

Critical

Status

poc

Disclosed

2026-03-16

Config / version noted

Not stated

Provenance

cvefeed.io
disclosed 2026-03-16 · original source · via exa
www.sentinelone.com
disclosed 2026-03-16 · original source · via exa
cve.akaoma.com
disclosed 2026-03-16 · original source · via exa
leakycreds.com
disclosed 2026-03-16 · original source · via exa

Reported as

An attacker with local access can redirect this path to a user-writable location, causing OpenEDR to load a malicious DLL into privileged processes

Mechanism

The OpenEDR kernel driver exposes an IOCTL interface that allows modification of the DLL injection path. An attacker with local access can redirect this path to a user-writable location, causing OpenEDR to load a malicious DLL into privileged processes, resulting in privilege escalation to SYSTEM.

Detection & mitigation

Monitor for unexpected modifications to the OpenEDR DLL injection path via IOCTL calls, using kernel driver auditing or EDR telemetry that tracks registry/file path changes. Mitigate by applying vendor patches, restricting local access, and enforcing application control to block unauthorized DLL loading.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)ConnectWise CrowdStrike Elastic ESET F5 Fortinet Google HitmanPro

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.