Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
2BrightSparks SyncBackFree Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of 2BrightSparks SyncBackFree. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. User interaction on the part of an administrator is also required.
The specific flaw exists within the Mirror functionality. By creating a junction, an attacker can abuse the service to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-26962.
AnalysisAI
Local privilege escalation vulnerability in 2BrightSparks SyncBackFree that allows low-privileged attackers to escalate to SYSTEM-level privileges by abusing the Mirror functionality through malicious junction creation. The vulnerability requires local code execution capability and administrator interaction, enabling arbitrary file deletion and code execution with SYSTEM privileges. This is a moderately severe local privilege escalation with a CVSS score of 7.3.
Technical ContextAI
The vulnerability exists in the Mirror functionality of 2BrightSparks SyncBackFree and is classified as CWE-59 (Improper Link Resolution Before File Access), which describes improper handling of symbolic links or junctions that allow attackers to access or modify unintended files. The flaw allows an attacker to create a malicious junction (Windows hard link alternative) that causes the SyncBackFree service—running with elevated SYSTEM privileges—to delete arbitrary files on the filesystem. This represents a classic symlink/junction following vulnerability where the application does not properly validate or sanitize the target path before performing file operations, allowing an attacker to redirect file deletion operations to sensitive system files. The Mirror functionality appears to be a backup/synchronization feature that traverses directory structures and performs file operations, making it susceptible to directory traversal and link-following attacks when junctions are involved.
RemediationAI
Apply the latest security patch from 2BrightSparks for SyncBackFree. Specific patch version numbers were not provided in the available data; consult the official 2BrightSparks website (https://www.2brightsparks.com/) or security advisories for the patched version. Interim mitigations include: (1) Restrict Mirror functionality usage to trusted administrators only; (2) Implement filesystem ACLs to prevent low-privileged users from creating junctions in directories monitored by SyncBackFree Mirror operations; (3) Disable the Mirror functionality if not required; (4) Run SyncBackFree with minimal necessary privileges rather than SYSTEM context if possible; (5) Monitor filesystem for unauthorized junction creation in backup/sync target directories. Users should update to the latest version of SyncBackFree as soon as patches are available from the vendor.
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17357