CVE-2025-9870: 
NixOS vulnerability analysis and mitigation

A local privilege escalation vulnerability (CVE-2025-9870) was discovered in Razer Synapse 3's Philips HUE module installer. The vulnerability was reported on March 30, 2025, and publicly disclosed on September 30, 2025. This security flaw affects Razer Synapse 3 installations and allows local attackers to escalate privileges on affected systems (Zero Day Initiative).

The vulnerability has been assigned a CVSS v3.1 score of 7.8 (High) with the following vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The specific flaw exists within the Philips HUE module installer, where attackers can abuse the installer to delete arbitrary files by creating a symbolic link. This vulnerability requires an attacker to first obtain the ability to execute low-privileged code on the target system (Zero Day Initiative).

If successfully exploited, this vulnerability allows attackers to escalate privileges and execute arbitrary code in the context of SYSTEM, potentially gaining complete control over the affected system (Zero Day Initiative).

The vulnerability has been fixed in Razer Synapse 3 version 3.10.730.71519. Users are advised to update to this version or later to protect against this security flaw (Zero Day Initiative).

The vulnerability was discovered and reported by security researcher 0x_alibabas (Zero Day Initiative).