Skip to content

Public Disclosure: 12 Supply Chain Vulnerabilities in Open EDR (Xcitium / Comodo) #55

Description

@BoxStrikesTeam

Public Disclosure: 12 Supply Chain Vulnerabilities in Open EDR (Xcitium / Comodo)

Researcher: Eneshan Erdoğan Karaca
Date: July 11, 2026
Medium Article: Open EDR: 12 Supply Chain Vulnerabilities and a Vendor’s 30-Day Silence


Summary

I identified 12 supply chain vulnerabilities in Comodo's Open EDR (now maintained by Xcitium). The affected components are third-party libraries bundled directly into the repository that have not been updated for approximately seven to eight years. Collectively, these outdated dependencies are associated with more than 100 publicly documented CVEs, including Remote Code Execution (RCE), Information Disclosure, Denial of Service (DoS), and Security Bypass.


Affected Components

Library Version Key CVEs
AWS SDK for C++ 1.7.63 CVE-2025-14760
Boost 1.70.0 (CVE-2023-52323 was originally misattributed; it affects PyCryptodome, not Boost)
cURL 7.63.0 CVE-2019-3822, CVE-2018-16890, CVE-2021-22890
OpenSSL 1.1.1b CVE-2019-1543, CVE-2022-0778, CVE-2023-0215, CVE-2023-0286, CVE-2023-0464, CVE-2023-0465, CVE-2026-41676

Repository Evidence:


Vendor Communication Timeline

  • June 21, 2026 – Initial report sent to security@xcitium.com.
  • June 22, 2026 – Received a one-sentence reply from Oleg Kalinin (Development Manager, CCS):

    "We haven't updated for a long time, we will update in the next release."

  • June 22 – July 10, 2026 – Sent four follow-up emails requesting:
    • An update timeline
    • CVE assignment or security advisory
    • Additional technical information
  • July 11, 2026No further response has been received.

Why I Am Disclosing Publicly

At the time of this disclosure:

  • I could not find a formal security disclosure policy for the Open EDR repository.
  • It is unclear whether Open EDR is actively maintained or effectively deprecated.
  • 20 days have passed since my initial report with only one brief acknowledgment.
  • The vendor appears unaware of its responsibilities and continues to host software containing known, publicly documented vulnerabilities.

The purpose of this disclosure is not to damage a vendor's reputation. It is to:

  • Inform users so they can make risk-based decisions about their deployments.
  • Encourage the vendor to update these libraries and recognize the implications of shipping outdated dependencies in an EDR solution.
  • Raise awareness in the security community about supply chain risks — even in software designed to provide security.

Potential Security Impact

EDR software typically operates with elevated privileges and occupies a highly trusted position within an organization's infrastructure. If vulnerable third-party components are reachable through product functionality, successful exploitation could potentially allow an attacker to:

  • Execute arbitrary code
  • Access sensitive information
  • Cause denial of service
  • Reduce or disable monitoring capabilities
  • Increase opportunities for lateral movement

Recommendations

For Xcitium / Comodo:

  • Update all bundled third-party libraries to their latest stable versions.
  • Publish a formal security disclosure policy.
  • Clarify the maintenance status of Open EDR.
  • Maintain timely communication with security researchers.

For Open EDR Users:

  • Review your deployed versions.
  • Monitor vendor updates.
  • Restrict unnecessary network exposure where appropriate.
  • Consider compensating controls until dependencies are updated.

Links


This disclosure is made after a responsible disclosure period with limited vendor response. All findings are based on publicly available repository contents.

Eneshan Erdoğan Karaca
July 11, 2026

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions