Cyber Resilience

CVE-2024-29404

High

Published: 03 December 2024

Published
03 December 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1086 93.5th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-29404 is a high-severity Command Injection (CWE-77) vulnerability in Razer Synapse (inferred from references). Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 6.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-29404 is a command injection vulnerability (CWE-77) affecting Razer Synapse 3 version 3.9.131.20813 and the Synapse 3 App version 20240213. It resides in the Profiles component, specifically the export parameter of the Chroma Effects function, and carries a CVSS 3.1 score of 7.8 reflecting local attack vector, low complexity, and full confidentiality, integrity, and availability impact.

A local attacker with low privileges can exploit the flaw without user interaction to execute arbitrary code on the affected system. The vulnerability is triggered through crafted input to the export parameter, enabling the attacker to run commands under the context of the Synapse process.

Public references include a proof-of-concept repository demonstrating the issue and a Razer product page, but no vendor advisory or patch details are provided in the available sources. The EPSS score has remained flat at 0.1086 with no observed rise after disclosure.

EU & UK References

Vulnerability details

An issue in Razer Synapse 3 v.3.9.131.20813 and Synapse 3 App v.20240213 allows a local attacker to execute arbitrary code via the export parameter of the Chroma Effects function in the Profiles component.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Razer
Synapse
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References