CVE-2025-11772 Overview
CVE-2025-11772 is a DLL hijacking vulnerability affecting Synaptics fingerprint driver installations. A carefully crafted malicious DLL, when copied to the C:\ProgramData\Synaptics folder, allows a local user to execute arbitrary code with elevated privileges during driver installation. This vulnerability is classified as CWE-427 (Uncontrolled Search Path Element), a common weakness where applications search for DLLs in insecure locations.
Critical Impact
Local privilege escalation through DLL hijacking during Synaptics fingerprint driver installation allows attackers to execute arbitrary code with SYSTEM-level privileges.
Affected Products
- Synaptics Fingerprint Driver Co-Installer
- Systems with Synaptics fingerprint drivers installed
- Windows systems using Synaptics biometric hardware
Discovery Timeline
- 2025-12-01 - CVE-2025-11772 published to NVD
- 2025-12-02 - Last updated in NVD database
Technical Details for CVE-2025-11772
Vulnerability Analysis
This vulnerability has been assigned a CVSS v3.1 score of 6.6 (Medium) with the vector string CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The physical attack vector indicates that an attacker needs local access to the system to exploit this vulnerability, though once exploited, the impact on confidentiality, integrity, and availability is high.
The EPSS (Exploit Prediction Scoring System) probability is 0.021% (4.726 percentile), indicating a relatively low likelihood of exploitation in the wild at this time.
The vulnerability exists in the Synaptics fingerprint driver co-installer component, which loads DLLs from the C:\ProgramData\Synaptics directory during driver installation. This directory may have insufficient access controls, allowing local users to place malicious DLLs that will be loaded by the privileged installation process.
Root Cause
The root cause of CVE-2025-11772 is CWE-427: Uncontrolled Search Path Element. The Synaptics driver installation process does not properly validate or restrict the DLL search path, allowing it to load DLLs from a world-writable or insufficiently protected directory (C:\ProgramData\Synaptics). When the installer runs with elevated privileges during driver installation, it inadvertently loads and executes code from any malicious DLL placed in this location by a local attacker.
Attack Vector
The attack requires physical or local access to the target system (Attack Vector: Physical). An attacker with low privileges can exploit this vulnerability by:
- Creating a malicious DLL with the same name as a legitimate DLL expected by the Synaptics installer
- Placing the crafted DLL in the C:\ProgramData\Synaptics folder
- Waiting for or triggering a driver installation/update event
- The privileged installation process loads the malicious DLL, executing attacker-controlled code with elevated (typically SYSTEM) privileges
The attack does not require user interaction (UI:N) and has low attack complexity (AC:L), making it relatively straightforward to execute once local access is obtained.
Detection Methods for CVE-2025-11772
Indicators of Compromise
- Unexpected DLL files appearing in the C:\ProgramData\Synaptics directory
- Unusual file modifications or new files with DLL extensions in the Synaptics data folder
- Process creation events showing SYSTEM-level processes loading DLLs from C:\ProgramData\Synaptics
Detection Strategies
Organizations should implement file integrity monitoring on the C:\ProgramData\Synaptics directory to detect unauthorized modifications or additions. SentinelOne's behavioral AI can detect suspicious DLL loading patterns and privilege escalation attempts associated with DLL hijacking attacks. Key detection strategies include:
- Monitor for DLL file creation events in C:\ProgramData\Synaptics by non-administrative users
- Track process creation chains where Synaptics installer processes spawn unexpected child processes
- Alert on unusual code signing characteristics of DLLs in the Synaptics directory
- Implement application whitelisting to prevent unauthorized DLL execution
Monitoring Recommendations
Deploy endpoint detection and response (EDR) solutions capable of monitoring DLL loading behavior. SentinelOne Singularity provides real-time visibility into DLL injection and hijacking techniques. Configure Windows event logging to capture:
- Sysmon Event ID 7 (Image loaded) for DLL loading events
- Windows Security Event ID 4688 (Process Creation) with command line auditing
- File system auditing on the C:\ProgramData\Synaptics directory
How to Mitigate CVE-2025-11772
Immediate Actions Required
- Review and restrict NTFS permissions on the C:\ProgramData\Synaptics directory to prevent unauthorized write access
- Audit existing files in the Synaptics folder for unauthorized or suspicious DLLs
- Apply the vendor security update as outlined in the Synaptics security brief
Patch Information
Synaptics has released a security brief addressing this vulnerability. Organizations should consult the official security advisory at Synaptics Security Brief for detailed patching instructions and updated driver versions. Ensure all Synaptics fingerprint drivers are updated to the latest secure versions as recommended by the vendor.
Workarounds
If immediate patching is not possible, implement the following mitigations:
The primary workaround involves restricting access to the vulnerable directory. Administrators should modify the NTFS permissions on C:\ProgramData\Synaptics to allow write access only to administrators and SYSTEM accounts. This prevents low-privileged users from placing malicious DLLs in the directory. Additionally, organizations can implement application control policies to only allow signed, authorized DLLs to load during driver installation processes.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
