Privilege Escalation via Mouse installation

A new zero-day vulnerability has been disclosed enabling privilege escalation through exploitation of Razer Synapse mouse installation. Connecting a Razer mouse or keyboard to a system would be sufficient to obtain SYSTEM-level privileges.

Attack mechanism

When a Razer device is connected to Windows 10 or Windows 11, the operating system automatically downloads and initiates installation of Razer Synapse software on the host. Razer Synapse enables users to configure hardware devices, establish macros, or remap peripheral buttons (deployed across over 100 million users).

Security researcher jonhat identified the zero-day vulnerability in Razer Synapse’s plug-and-play installation routine, permitting rapid elevation to SYSTEM privileges on Windows endpoints. The vulnerability chain exploits T1547.013 (Boot or Logon Autostart Execution) and T1134.003 (Access Token Manipulation) during the device driver initialization phase.

Following disclosure to Razer without receiving substantive response, jonhat published vulnerability details on Twitter accompanied by technical demonstration video. Our Cybersecurity Advisory team tracked this disclosure across affected enterprise environments, identifying active exploitation attempts within 48 hours of public availability.