EUVD-2025-17357
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
2BrightSparks SyncBackFree Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of 2BrightSparks SyncBackFree. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. User interaction on the part of an administrator is also required. The specific flaw exists within the Mirror functionality. By creating a junction, an attacker can abuse the service to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-26962.
Analysis
Local privilege escalation vulnerability in 2BrightSparks SyncBackFree that allows low-privileged attackers to escalate to SYSTEM-level privileges by abusing the Mirror functionality through malicious junction creation. The vulnerability requires local code execution capability and administrator interaction, enabling arbitrary file deletion and code execution with SYSTEM privileges. This is a moderately severe local privilege escalation with a CVSS score of 7.3.
Technical Context
The vulnerability exists in the Mirror functionality of 2BrightSparks SyncBackFree and is classified as CWE-59 (Improper Link Resolution Before File Access), which describes improper handling of symbolic links or junctions that allow attackers to access or modify unintended files. The flaw allows an attacker to create a malicious junction (Windows hard link alternative) that causes the SyncBackFree service—running with elevated SYSTEM privileges—to delete arbitrary files on the filesystem. This represents a classic symlink/junction following vulnerability where the application does not properly validate or sanitize the target path before performing file operations, allowing an attacker to redirect file deletion operations to sensitive system files. The Mirror functionality appears to be a backup/synchronization feature that traverses directory structures and performs file operations, making it susceptible to directory traversal and link-following attacks when junctions are involved.
Affected Products
2BrightSparks SyncBackFree (specific version range not provided in description, but likely recent versions around 2025). The CVE references ZDI-CAN-26962, indicating a ZDI submission. CPE information was not provided in the source data, but the affected product can be identified as: Vendor='2BrightSparks', Product='SyncBackFree', Type='Application'. Typical CPE would be cpe:2.3:a:2brightsparks:syncbackfree:*:*:*:*:*:*:*:* (version range to be determined from vendor advisory). The vulnerability affects Windows systems where SyncBackFree is installed with the Mirror functionality enabled and accessible to lower-privileged users.
Remediation
Apply the latest security patch from 2BrightSparks for SyncBackFree. Specific patch version numbers were not provided in the available data; consult the official 2BrightSparks website (https://www.2brightsparks.com/) or security advisories for the patched version. Interim mitigations include: (1) Restrict Mirror functionality usage to trusted administrators only; (2) Implement filesystem ACLs to prevent low-privileged users from creating junctions in directories monitored by SyncBackFree Mirror operations; (3) Disable the Mirror functionality if not required; (4) Run SyncBackFree with minimal necessary privileges rather than SYSTEM context if possible; (5) Monitor filesystem for unauthorized junction creation in backup/sync target directories. Users should update to the latest version of SyncBackFree as soon as patches are available from the vendor.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today