Body Background
TrendAI™ Zero Day Initiative™ Logo

2BrightSparks SyncBackFree Link Following Local Privilege Escalation Vulnerability

June 3rd, 2025
ZDI-25-322 ZDI-CAN-26962

CVE ID

CVE-2025-5474

CVSS Score

7.3 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Affected Vendors

2BrightSparks

Affected Products

SyncBackFree

Vulnerability Details

This vulnerability allows local attackers to escalate privileges on affected installations of 2BrightSparks SyncBackFree. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. User interaction on the part of an administrator is also required.

The specific flaw exists within the Mirror functionality. By creating a junction, an attacker can abuse the service to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.

Additional Details

Fixed in SyncBack V11.3.106.0
https://www.2brightsparks.com/download-syncbackfree.html


Disclosure Timeline

  • 2025-05-13 - Vulnerability reported to vendor
  • 2025-06-03 - Coordinated public release of advisory
  • 2025-06-06 - Advisory Updated

Credit

Sharkkcode and Zeze with TeamT5

Back to Advisories

Hero Background

Stand at the front line of proactive security

Trend ZDI connects the experts who discover, remediate, and defend.
Add your voice to the work that pushes attackers back.

RESEARCHERS

Submit a vulnerability

VENDORS

Learn how it works

ORGANIZATIONS

See how you're protected