CVE-2020-16602

HIGH

Razer Chroma SDK < 3.12.17 - Race Condition

Title source: rule

Description

Razer Chroma SDK Rest Server through 3.12.17 allows remote attackers to execute arbitrary programs because there is a race condition in which a file created under "%PROGRAMDATA%\Razer Chroma\SDK\Apps" can be replaced before it is executed by the server. The attacker must have access to port 54236 for a registration step.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Loke Hui Yi · pythonremotewindows

https://www.exploit-db.com/exploits/49106

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/160225/Razer-Chroma-SDK-Server-3.16.02-Race-Condition.html

[Vendor Advisory] https://assets.razerzone.com/dev_portal/REST/html/index.html

[Third Party Advisory] https://www.angelystor.com/2020/09/cve-2020-16602-remote-file-execution-on.html

[Third Party Advisory] https://www.youtube.com/watch?v=fkESBVhIdIA

Scores

CVSS v3 8.1

EPSS 0.1862

EPSS Percentile 95.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-362

Status published

Products (1)

razer/chroma_sdk < 3.12.17

Published Sep 02, 2020

Tracked Since Feb 18, 2026