cbcvebase.
CVE-2020-16602
published 2020-09-02

CVE-2020-16602: Razer Chroma SDK Rest Server through 3.12.17 allows remote attackers to execute arbitrary programs because there is a race condition in which a file created…

PriorityP261high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
5.99%
92.4th percentile
Razer Chroma SDK Rest Server through 3.12.17 allows remote attackers to execute arbitrary programs because there is a race condition in which a file created under "%PROGRAMDATA%\Razer Chroma\SDK\Apps" can be replaced before it is executed by the server. The attacker must have access to port 54236 for a registration step.

Affected

1 ranges
VendorProductVersion rangeFixed in
razerchroma_sdk<= 3.12.17

Detection & IOCsextracted from sources · hover to see the quote

port54236
urlhttps://chromasdk.io:54236/razer/chromasdk
path%PROGRAMDATA%\Razer Chroma\SDK\Apps
pathC:\ProgramData\Razer Chroma SDK\Apps\pwn\pwn.exe
urlhttps://chromasdk.io:54236/razer/chromasdk
  • Monitor for unauthorized file creation or replacement events under the Razer Chroma SDK Apps directory, which is user-writable and does not require admin privileges.
  • Detect inbound HTTP PUT requests to /heartbeat and /keyboard endpoints on port 54236, which are used by the exploit to interact with the Razer Chroma SDK REST server.
  • Detect inbound HTTP POST requests to /razer/chromasdk on port 54236 from non-local or unexpected sources as a registration step indicator for exploitation.
  • Alert on rapid, repeated file write attempts to C:\ProgramData\Razer Chroma SDK\Apps\ subdirectories, indicative of a race condition exploitation loop.
  • Monitor for process execution originating from C:\ProgramData\Razer Chroma SDK\Apps\ — legitimate software should not execute binaries from this path.
  • ·Exploitation requires network access to port 54236 on the target; blocking or firewalling this port from untrusted networks mitigates remote attack surface.
  • ·The vulnerability affects Razer Chroma SDK Rest Server through version 3.12.17 per NVD, but the exploit-db PoC targets version 3.16.02, suggesting the vulnerable window may be broader than initially documented.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.