Public Disclosure: 12 Supply Chain Vulnerabilities in Open EDR (Xcitium / Comodo)
Researcher: Eneshan Erdoğan Karaca
Date: July 11, 2026
Medium Article: Open EDR: 12 Supply Chain Vulnerabilities and a Vendor’s 30-Day Silence
Summary
I identified 12 supply chain vulnerabilities in Comodo's Open EDR (now maintained by Xcitium). The affected components are third-party libraries bundled directly into the repository that have not been updated for approximately seven to eight years. Collectively, these outdated dependencies are associated with more than 100 publicly documented CVEs, including Remote Code Execution (RCE), Information Disclosure, Denial of Service (DoS), and Security Bypass.
Affected Components
Repository Evidence:
Vendor Communication Timeline
- June 21, 2026 – Initial report sent to
security@xcitium.com.
- June 22, 2026 – Received a one-sentence reply from Oleg Kalinin (Development Manager, CCS):
"We haven't updated for a long time, we will update in the next release."
- June 22 – July 10, 2026 – Sent four follow-up emails requesting:
- An update timeline
- CVE assignment or security advisory
- Additional technical information
- July 11, 2026 – No further response has been received.
Why I Am Disclosing Publicly
At the time of this disclosure:
- I could not find a formal security disclosure policy for the Open EDR repository.
- It is unclear whether Open EDR is actively maintained or effectively deprecated.
- 20 days have passed since my initial report with only one brief acknowledgment.
- The vendor appears unaware of its responsibilities and continues to host software containing known, publicly documented vulnerabilities.
The purpose of this disclosure is not to damage a vendor's reputation. It is to:
- Inform users so they can make risk-based decisions about their deployments.
- Encourage the vendor to update these libraries and recognize the implications of shipping outdated dependencies in an EDR solution.
- Raise awareness in the security community about supply chain risks — even in software designed to provide security.
Potential Security Impact
EDR software typically operates with elevated privileges and occupies a highly trusted position within an organization's infrastructure. If vulnerable third-party components are reachable through product functionality, successful exploitation could potentially allow an attacker to:
- Execute arbitrary code
- Access sensitive information
- Cause denial of service
- Reduce or disable monitoring capabilities
- Increase opportunities for lateral movement
Recommendations
For Xcitium / Comodo:
- Update all bundled third-party libraries to their latest stable versions.
- Publish a formal security disclosure policy.
- Clarify the maintenance status of Open EDR.
- Maintain timely communication with security researchers.
For Open EDR Users:
- Review your deployed versions.
- Monitor vendor updates.
- Restrict unnecessary network exposure where appropriate.
- Consider compensating controls until dependencies are updated.
Links
This disclosure is made after a responsible disclosure period with limited vendor response. All findings are based on publicly available repository contents.
Eneshan Erdoğan Karaca
July 11, 2026
Public Disclosure: 12 Supply Chain Vulnerabilities in Open EDR (Xcitium / Comodo)
Researcher: Eneshan Erdoğan Karaca
Date: July 11, 2026
Medium Article: Open EDR: 12 Supply Chain Vulnerabilities and a Vendor’s 30-Day Silence
Summary
I identified 12 supply chain vulnerabilities in Comodo's Open EDR (now maintained by Xcitium). The affected components are third-party libraries bundled directly into the repository that have not been updated for approximately seven to eight years. Collectively, these outdated dependencies are associated with more than 100 publicly documented CVEs, including Remote Code Execution (RCE), Information Disclosure, Denial of Service (DoS), and Security Bypass.
Affected Components
Repository Evidence:
Vendor Communication Timeline
security@xcitium.com.Why I Am Disclosing Publicly
At the time of this disclosure:
The purpose of this disclosure is not to damage a vendor's reputation. It is to:
Potential Security Impact
EDR software typically operates with elevated privileges and occupies a highly trusted position within an organization's infrastructure. If vulnerable third-party components are reachable through product functionality, successful exploitation could potentially allow an attacker to:
Recommendations
For Xcitium / Comodo:
For Open EDR Users:
Links
This disclosure is made after a responsible disclosure period with limited vendor response. All findings are based on publicly available repository contents.
Eneshan Erdoğan Karaca
July 11, 2026