CVE-2025-5474: 2BrightSparks SyncBackFree Link Following Local Privilege Escalation Vulnerability

7.3 CVSS

Description

2BrightSparks SyncBackFree Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of 2BrightSparks SyncBackFree. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. User interaction on the part of an administrator is also required.

The specific flaw exists within the Mirror functionality. By creating a junction, an attacker can abuse the service to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-26962.

Classification

CVE ID: CVE-2025-5474

CVSS Base Severity: HIGH

CVSS Base Score: 7.3

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Problem Types

CWE-59: Improper Link Resolution Before File Access ('Link Following')

Affected Products

Vendor: 2BrightSparks

Product: SyncBackFree

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 2.2% (scored less or equal to compared to others)

EPSS Date: 2025-06-07 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-5474
https://www.zerodayinitiative.com/advisories/ZDI-25-322/

Timeline

2025-06-03 21:45:29 UTC
Zero Day Initiative Published Advisories

ZDI-25-322: 2BrightSparks SyncBackFree Link Following Local Privilege Escalation Vulnerability
2025-06-06 19:40:22 UTC
CVE

2BrightSparks SyncBackFree Link Following Local Privilege Escalation Vulnerability