CVE-2017-9769

CRITICAL

Razer Synapse <2.20.15.1104 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2017-9769. PoCs published by Metasploit, kkent030315, including Metasploit module exploits/windows/local/razer_zwopenprocess.

AI-analyzed exploit summary This Metasploit module exploits CVE-2017-9769, a local privilege escalation vulnerability in Razer Synapse's rzpnk.sys driver. It leverages an IOCTL handler flaw to open a handle to winlogon.exe and inject shellcode, achieving SYSTEM privileges.

Description

A specially crafted IOCTL can be issued to the rzpnk.sys driver in Razer Synapse 2.20.15.1104 that is forwarded to ZwOpenProcess allowing a handle to be opened to an arbitrary process.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows_x86-64
https://www.exploit-db.com/exploits/42368

This Metasploit module exploits CVE-2017-9769, a local privilege escalation vulnerability in Razer Synapse's rzpnk.sys driver. It leverages an IOCTL handler flaw to open a handle to winlogon.exe and inject shellcode, achieving SYSTEM privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Razer Synapse v2.20.15.1104 (rzpnk.sys driver)
No auth needed
Prerequisites: Razer Synapse installed · RazerIngameEngine.exe not running (or ability to kill it) · x64 Windows system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 14 stars
by kkent030315 · poc
https://github.com/kkent030315/CVE-2017-9769

This repository contains a proof-of-concept exploit for CVE-2017-9769, which leverages a vulnerable IOCTL in the Razer Synapse driver (rzpnk.sys) to open a handle to an arbitrary process via ZwOpenProcess. The exploit demonstrates privilege escalation by obtaining a handle to the current process with elevated permissions.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Razer Synapse 2.20.15.1104
No auth needed
Prerequisites: Razer Synapse 2.20.15.1104 installed · Vulnerable rzpnk.sys driver loaded
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/razer_zwopenprocess.rb

This Metasploit module exploits a vulnerability in the Razer Synapse driver (rzpnk.sys) by leveraging an IOCTL handler that allows arbitrary process handle opening. It escalates privileges to SYSTEM by injecting shellcode into the winlogon process and triggering execution via LockWorkStation.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Razer Synapse (v2.20.15.1104)
No auth needed
Prerequisites: Razer Synapse installed · RazerIngameEngine.exe not running (or ability to kill it) · Local access to the target system
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://warroom.securestate.com/cve-2017-9769/
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42368/

Scores

CVSS v3 9.8
EPSS 0.8554
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (1)
razer/synapse 2.20.15.1104
Published Aug 02, 2017
Tracked Since Feb 18, 2026