A Google Project Zero security researcher discovered a very easy to exploit vulnerability in Logitech's Options tool. Tavis Ormandy discovered Logitech's Options software opens a local websockets port that accepts commands without authentication. This enables attackers to send arbitrary keystrokes from any website, giving pretty much total control over an affected system.
Initially, Logitech didn't see the need to patch this vulnerability. Project Zero gives companies 90 days to patch bugs before making them public. Ormandy informed the peripheral maker in September and Logitech didn't fix the issue before the expiry of the deadline. Interestingly, Logitech did issue a fix three days after the vulnerability was made public. You can download the latest version of Options over here.
That program helpfully adds itself to HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun (and therefore is always running), spawns multiple subprocesses and appears to be an electron app. It also opens a websocket server on port 10134 that any website can connect to, and has no origin checking at all. A website can simply do this: