Windows 10’s security is easily thwarted just by plugging in a Razer peripheral

Razer Deathadder Essential and Windows 10
(Image credit: Razer and Microsoft)

So, this is a bit unsettling—a white hat hacker has discovered a bug in Razer's device installer software that could give a hacker full admin rights in Windows 10, simply by plugging in a compatible peripheral and downloading the accompanying Synapse utility. This could be a Razer mouse or keyboard, or any device that taps in the Synapse software.

A user who goes by "jonhat" on Twitter publicly disclosed the security flaw after contacting Razer and initially not getting a response from the company. The post also contains a video highlighting how incredibly simple it is to exploit the newly discovered attack vector, as a user with only limited standard system privileges.

What's at issue here is that when plugging in a Razer device (or dongle, if it's a wireless peripheral), Windows fetches a Razer installer containing driver software and the Synapse utility. As part of the setup routine, it opens up an Explorer window prompting the user to select where the driver should be installed.

This setup routine is run with elevated Admin privileges, the highest available in Windows 10. What jonhat found is that if a user opts to change the default location of the installation folder, which brings up a 'Choose a folder' dialog, a user can right-click the installation window and press the Shift key to open a Powershell terminal with those same Admin privileges. That's not good. From there, an attacker could wreak all kinds of havoc. 

The video in the Twitter post demonstrates this process, and the folks at BleepingComputer confirmed it as well, noting "the bug is so easy to exploit as you just need to spend $20 on Amazon" for a Razer peripheral.

In one of the responses, a user said it also "works great" to spoof the vendor ID of an existing, non-Razer peripheral, so an attacker wouldn't even need to purchase anything. And yet another user claimed this attack vector "works also with any Asus ROG mouse. It will prompt to install Armory Crate" and execute it with the same elevated system privileges.

For its part, Razer acknowledged the issue in a statement provided to ComputerBase, saying a fix is on the way.

"We were made aware of a situation in which our software, in a very specific use case, provides a user with broader access to their machine during the installation process," Razer said.  "We have investigated the issue, are currently making changes to the installation application to limit this use case, and will release an updated version shortly. The use of our software (including the installation application) does not provide unauthorized third-party access to the machine."

"We are committed to ensuring the digital safety and security of all our systems and services, and should you come across any potential lapses, we encourage you to report them through our bug bounty service, Inspectiv: https://app.inspectiv.com/#/sign-up," Razer added.

Likewise, jonhat said Razer has subsequently been in touch and offered up a bounty despite publicly disclosing the issue.

Perfect peripherals

(Image credit: Colorwave)

Best gaming mouse: the top rodents for gaming
Best gaming keyboard: your PC's best friend...
Best gaming headset: don't ignore in-game audio

Should you be worried about this? Not really, for the most part. Razer note this is bug only applies to a "very specific use case," and that's because an attacker would need physical access to a machine in order to exploit the vulnerability—this is not something that can be accomplished remotely.

That said, this is another reason why you should never leave your laptop unattended in places where others might have access to it. The risk of theft, of course, is the other good reason not to do such a thing.

While Razer is working on a fix, it will be interesting to see if Microsoft comes up with any safeguards that would do away with this method of bypassing limited account privileges. This presumably would work in Windows 11 as well, though at this point, it does not seem as though anyone has tested it yet.

Paul Lilly

Paul has been playing PC games and raking his knuckles on computer hardware since the Commodore 64. He does not have any tattoos, but thinks it would be cool to get one that reads LOAD"*",8,1. In his off time, he rides motorcycles and wrestles alligators (only one of those is true).

Read more
Mister Fantastic giving a thumbs up
A Marvel Rivals player has uncovered 'one of the most dangerous vulnerabilities a game can have' that'll let cheaters take over your PC and find your passwords
Microsoft Windows 11
If you installed Windows 11 with certain security updates and a USB stick, you may not get any more security updates warns Microsoft
Pipboy holds up an open padlock.
A BIOS update could be all that's stopping you or someone else from jailbreaking your old AMD CPU
Wooting 80HE on a desk and controlled by the Wootility.
There's one reason I come back to this one rapid trigger gaming keyboard over the rest, and that's great software
Two Razer Project Arielle gaming chairs, one lit up in red, the other in blue.
Razer blew hot and cold air down my neck and rumbled my posterior at CES 2025, and I liked it
The Buffalo RUF3-KEV USB drive on a red-orange gradient
This USB flash drive has a built-in anti-malware system, but I still wouldn't use one I found in a parking lot
Latest in Hardware
Jensen Huang, co-founder and chief executive officer of Nvidia Corp., speaks while holding the company's new GeForce RTX 50 series graphics cards and a Thor Blackwell robotics processor during the 2025 CES event in Las Vegas, Nevada, US, on Monday, Jan. 6, 2025. Huang announced a raft of new chips, software and services, aiming to stay at the forefront of artificial intelligence computing. Photographer: Bridget Bennett/Bloomberg via Getty Images
Group allegedly trying to smuggle Nvidia Blackwell chips stare down bail set at over $1 million
OpenAI logo displayed on a phone screen and ChatGPT website displayed on a laptop screen are seen in this illustration photo taken in Krakow, Poland on December 5, 2022.
If you don't let us scrape copyrighted content, we will lose out to China says OpenAI as it tries to influence US government
Alienware 27 AW2725Q QD-OLED
Alienware 27 AW2725Q QD-OLED review
Nvidia RTX 5090 Founders Edition graphics card on different backgrounds
AI will be crammed in more of the graphics pipeline as Nvidia and Microsoft are bringing AI shading to a DirectX preview next month
Nvidia RTX 50-series graphics cards alongside an RTX 4090
Nvidia says it's sold twice as many RTX 50-series cards as RTX 40-series in the first 5 weeks. I'd bloody well hope so given there was essentially just the RTX 4090 for competition
AMD Radeon RX 9070/9070 XT graphics cards with artistic renders of reference design cards circled
Looks like a reference design AMD RX 9070 XT card has shown up in China, but let's not get carried away with thoughts of MBA cards just yet
Latest in News
Erenshor - A player and two simulated MMO party members stand on a plateau in front of a yellow landscape
This RuneScape-looking 'simulated MMORPG' has all the nostalgia without the drama because all the other 'players' are NPCs
Pirate Bay co-founder Carl Lundstrom
Pirate Bay co-founder and far-right politician found dead after plane crash
Sunset in the desert in Hello Sunshine
Hello Sunshine is a desert survival sandbox where you live in the literal shadow of the colossus
Roblox CEO David Baszucki.
'Don't let your kids be on Roblox', Roblox CEO tells parents, before comparing himself to Walt Disney and declaring the platform 'the future of communication'
Titus in Warhammer 40,000: Space Marine 3 reveal promo image
Praise be to the Omnissiah! Warhammer 40,000: Space Marine 3 is officially in development
Jensen Huang, co-founder and chief executive officer of Nvidia Corp., speaks while holding the company's new GeForce RTX 50 series graphics cards and a Thor Blackwell robotics processor during the 2025 CES event in Las Vegas, Nevada, US, on Monday, Jan. 6, 2025. Huang announced a raft of new chips, software and services, aiming to stay at the forefront of artificial intelligence computing. Photographer: Bridget Bennett/Bloomberg via Getty Images
Group allegedly trying to smuggle Nvidia Blackwell chips stare down bail set at over $1 million