Bleeping Computer has extra details over here. It's a nasty bug but exploitation requires local access so the overall risk is relatively low.
It should be noted that this is a local privilege escalation (LPE) vulnerability, which means that you need to have a Razer devices and physical access to a computer. With that said, the bug is so easy to exploit as you just need to spend $20 on Amazon for Razer mouse and plug it into Windows 10 to become an admin.
Need local admin and have physical access?— jonhat (@j0nh4t) August 21, 2021
- Plug a Razer mouse (or the dongle)
- Windows Update will download and execute RazerInstaller as SYSTEM
- Abuse elevated Explorer to open Powershell with Shift+Right click
Tried contacting @Razer, but no answers. So here's a freebie pic.twitter.com/xDkl87RCmz
Presumably, a lot of other manufacturers may have similar bugs. Will Dormann from CERT/CC speculates this is a vulnerability of the type 'how has nobody realized this before now?' Razer promises to issue a fix asap.
Many vulnerabilities fall into the class of "How has nobody realized this before now?"— Will Dormann (@wdormann) August 22, 2021
If you combine the facts of "connecting USB automatically loads software" and "software installation happens with privileges", I'll wager that there are other exploitable packages out there...