CVE-2024-29404
Published: 03 December 2024
Summary
CVE-2024-29404 is a high-severity Command Injection (CWE-77) vulnerability in Razer Synapse (inferred from references). Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 6.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-29404 is a command injection vulnerability (CWE-77) affecting Razer Synapse 3 version 3.9.131.20813 and the Synapse 3 App version 20240213. It resides in the Profiles component, specifically the export parameter of the Chroma Effects function, and carries a CVSS 3.1 score of 7.8 reflecting local attack vector, low complexity, and full confidentiality, integrity, and availability impact.
A local attacker with low privileges can exploit the flaw without user interaction to execute arbitrary code on the affected system. The vulnerability is triggered through crafted input to the export parameter, enabling the attacker to run commands under the context of the Synapse process.
Public references include a proof-of-concept repository demonstrating the issue and a Razer product page, but no vendor advisory or patch details are provided in the available sources. The EPSS score has remained flat at 0.1086 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-26411
Vulnerability details
An issue in Razer Synapse 3 v.3.9.131.20813 and Synapse 3 App v.20240213 allows a local attacker to execute arbitrary code via the export parameter of the Chroma Effects function in the Profiles component.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.