ASUS Armoury Crate Vulnerability Allows Attackers to Escalate to System User on Windows

A high-severity authorization bypass vulnerability (CVE-2025-3464) has been identified in ASUS Armoury Crate 5.9.13.0, exposing Windows systems to potential privilege escalation attacks.

The flaw resides in the AsIO3.sys driver, which manages hardware communication for ASUS peripherals and components, and carries a CVSSv3 score of 8.81.

Cybersecurity firm Talos disclosed the vulnerability on June 16, 2025, following coordinated disclosure with ASUS.

Technical Breakdown of the Authorization Bypass

The vulnerability stems from improper authorization checks in the AsIO3.sys driver’s IRP_MJ_CREATE handler.

The driver implements a custom security mechanism that only allows processes with specific SHA-256 hashes (e.g., c5c176fc0cbf4cc4e37c84b6237392b8bea58dbccf5fbbc902819dfc72ca9efa for AsusCertService.exe) or whitelisted process IDs to access the DeviceAsusgio3 interface.

Attackers bypass this protection using a hard link manipulation technique:

1. Create a hard link (core.exe) pointing to a malicious executable
2. Execute the linked file
3. Swap the hard link target to the legitimate AsusCertService.exe
4. Exploit the race condition during the ZwQueryInformationProcess call (lines 22-27)

This tricks the driver into validating the legitimate ASUS binary while executing attacker-controlled code.

The PoC code below demonstrates the critical file-swapping logic:

powershellmklink /h core.exe TestCon2.exe  # Create initial hard link
.core.exe                       # Execute malicious payload
del core.exe                     # Remove link
mklink /h core.exe AsusCertService.exe  # Re-link to legitimate binary

Exploitation Risks and Mitigation Strategies

Successful exploitation provides attackers with direct hardware access through the compromised driver, enabling:

• Physical memory mapping via ZwMapViewOfSection
• Raw I/O port communication using __inbyte/__outbyte instructions
• MSR register read/write operations (e.g., rdmsr/wrmsr)

Risk Factor	Technical Details
Attack Vector	Local (AV:L) – Requires execution
Privilege Requirement	Low (PR:L) – User-level access sufficient
Impact Scope	System Confidentiality/Integrity (C:H/I:H)
CVSSv3	8.8 (High)
Patch Status	Fixed in Armoury Crate ≥5.9.13.1

ASUS released patches on June 16, 2025, and users should immediately update through the Armoury Crate interface or manual download.

Organizations should:

1. Audit systems for vulnerable Armoury Crate versions
2. Monitor for suspicious hard link creation events
3. Restrict non-administrative users from driver interaction using tools like accesschk.exe

---

Hardware Security Implications

This vulnerability highlights systemic risks in vendor-specific driver architectures.

The AsIO3.sys implementation demonstrates three critical failures:

1. Reliance on file hash checks rather than Windows security descriptors
2. Lack of handle acquisition timestamp validation
3. Improper separation of kernel/userland operations

Security researchers emphasize that such design patterns enable “living off the land” attacks, where malicious actors exploit legitimate drivers to bypass endpoint detection systems.

The Talos disclosure follows similar findings in 2024 affecting other OEM utilities, underscoring the need for stricter driver certification processes.

ASUS has not disclosed whether the vulnerability affected other product lines, but security teams recommend reviewing all ASUS software utilities for similar authorization flaws.

The company’s rapid patch deployment (118-day turnaround from disclosure) sets a positive precedent for OEM vulnerability response.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post ASUS Armoury Crate Vulnerability Allows Attackers to Escalate to System User on Windows appeared first on Cyber Security News.