Details about CVE-2022-26250 and CVE-2022-26251

Jeffrey Bencteux ( reached out to Synametrics Technologies, Inc. around February 2022 regarding two vulnerabilities he discovered in SynaMan. This page talks about his concerns and our response.

In short, he claims two problems exist in SynaMan:

  • Problem 1 - CVE-2022-26250: The default permissions in the installation folder of SynaMan are not strong enough.
  • Problem 2 - CVE-2022-26251: Someone with administrator's password can potentially run harmful code.

Problem 1 - CVE-2022-26250

An important point to note is that this concern is only applicable if an existing and authorized user on the machine decides to modify files/configuration. This CVE does not apply for users who do not have access to the machine either physically or remotely.

The default installation location of SynaMan is C:\SynaMan on a Windows machine. However, according to Mr. Bencteux, this default location is vulnerable to file renames. In other words, an authenticated user on the device could potentially rename C:\SynaMan\SynaMan.exe file with a different file, and the operating system will end up running the bad version of the file next time service starts.

We agree with this analysis and therefore, have modified the installation folder to C:\Program Files\SynaMan. Users who download SynaMan Windows Installer after April 02, 2022, will see the default installation folder for SynaMan as recommended by Mr. Bencteux.

A Note For Existing Users

This problem is only applicable if an authenticated user on the machine decides to act maliciously. No further steps are required if only trusted individuals are able to access the device.

To comply with Mr. Bencteux recommendation you could reinstall SynaMan and change the installation folder to C:\Program Files. You can even do this with older versions. Refer to this page for instructions.

Problem 2 - CVE-2022-26251

Mr. Bencteux claims that someone with administrator's password could misuse the Triggers feature in SynaMan to run malicious code.

The admin account in SynaMan is similar to the root account on Linux operating system. In other words, significant damage can be done to the system if an unauthorized user can access your SynaMan using this administrative privileges.

Mr. Bencteux suggested enabling the Restrict admin access to localhost by default to mitigate this risk. We disagree with this suggestion because legitimate administrators can get themselves locked out if this option is checked during setup.

A Note For Existing Users

We recommend every administrator to follow best practices published by Synametrics Technologies, Inc. regarding SynaMan, which include:

  • Changing the admin user ID
  • Restricting admin's access from localhost or only from certain IP addresses, if possible.
  • Email alert when admin logs in
These measures will ensure no one, but authorized users have access the admin account.


Social Media

Powered by