Razer Synapse is generally a decent piece of software, and the company makes some of the best gaming mice. However, the software has a new zero-day vulnerability that allows just about anyone to gain admin rights on a computer by simply plugging in a mouse or keyboard.
Razer’s Zero-Day Vulnerability
The vulnerability was first discovered by Security researcher jonhat and posted on Twitter. It was then tested and verified by Bleeping Computer. The publication was able to confirm that the vulnerability does exist.
All you need to do is plug in a razer mouse, dongle, or keyboard. Next, Windows 10 will download and execute RazerInstaller as SYSTEM, which grants full privileges. From there, you can use the elevated Explorer to open Powershell with a keyboard shortcut. Once that’s done, the sky’s the limit in terms of what you can do on the computer.
Need local admin and have physical access?
– Plug a Razer mouse (or the dongle)
– Windows Update will download and execute RazerInstaller as SYSTEM
– Abuse elevated Explorer to open Powershell with Shift+Right click
— jonhat (@j0nh4t) August 21, 2021
Obviously, this vulnerability requires the person to physically be near the computer to plug in a Razer peripheral, so it’s not the kind of threat you need to worry about being exploited remotely. Still, anything that can grant an unauthorized person full access to a computer without permission is something that needs to be taken seriously and fixed quickly.
What Is Razer Doing?
Fortunately, Razer reached out to the researcher who discovered the vulnerability and said it is working on a fix as quickly as possible. Hopefully, an update is released soon that will handle the problem, as it needs to be addressed before it’s exploited by too many people.
Generously, Razer offered researcher jonhat a bounty even though he disclosed the bug publicly, so the company does seem appreciative that the bug has been discovered, allowing Razer to fix it to prevent future exploits.