Tamper-Protection Bypass × OpenEDR

A publicly-reported instance of Tamper-Protection Bypass bypassing OpenEDR, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

OpenEDR

Technique

Tamper-Protection Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Critical

Status

poc

Disclosed

2025-12-12

Config / version noted

Yes

Provenance

scavengersecurity.com
disclosed 2025-12-12 · original source · via exa
www.sentinelone.com
disclosed 2026-03-16 · original source · via exa
www.sentinelone.com
disclosed 2026-03-16 · original source · via exa
www.sentinelone.com
disclosed 2026-03-16 · original source · via raw

Reported as

CVE-2025-69783 allows bypassing the self-defense mechanism by spoofing the process name to gain trusted status.

Mechanism

The kernel driver's IOCTL handler trusts processes based on a name check that can be bypassed by renaming the executable (CVE-2025-69783). Once trusted, an attacker can modify the EDR configuration to change the path of the monitoring DLL injected into processes, causing a malicious DLL to be loaded into a privileged process, leading to privilege escalation (CVE-2025-69784).

Detection & mitigation

Monitor for unexpected process renaming (e.g., via Sysmon Event ID 1 with OriginalFileName mismatch) and unauthorized registry or configuration file modifications to EDR injection paths. Enforce strict integrity controls on EDR components and apply vendor patches immediately.

Tamper-Protection Bypass has also been recorded against

AppSealing Arxan BeyondTrust Broadcom (Symantec)Byfron CrowdStrike DANA Elastic FireEye Kemco LoGiC.NET McAfee

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.