ASUS Armoury Crate Vulnerability Let Attackers Escalate to System User on Windows Machine

A critical authorization bypass vulnerability in ASUS Armoury Crate enables attackers to gain system-level privileges on Windows machines through a sophisticated hard link manipulation technique. 

The vulnerability, tracked as CVE-2025-3464 with a CVSS score of 8.8, affects the popular gaming software’s AsIO3.sys driver and was patched by ASUS on June 16, 2025.

Authentication Bypass Via Hard Link Manipulation

The vulnerability uncovered by Cisco Talos researchers exploits a fundamental flaw in how the AsIO3.sys driver validates authorized applications. Under normal circumstances, the driver restricts access to only the legitimate AsusCertService.exe by comparing SHA-256 hashes of requesting processes. 

The driver performs this check using the ZwQueryInformationProcess function to retrieve the process image path, then calculates and compares SHA-256 hashes against a hardcoded value stored in the global variable g_sha256Hash.

This authentication mechanism can be circumvented using Windows hard links. The attack involves creating a hard link that initially points to a malicious executable, then switching the link destination to the legitimate AsusCertService.exe after the process starts but before the authentication check occurs. 

When the driver queries the process information, it receives the path to the hard link pointing to the authorized ASUS service, effectively bypassing the security validation.

The exploitation process involves specific timing manipulation of hard links. Attackers first create a hard link using the command mklink /h core.exe TestCon2.exe, launch their malicious application, then swap the link destination with mklink /h core.exe AsusCertService.exe before the driver performs its authentication check. 

This technique leverages the Time-of-Check-Time-of-Use (TOCTOU) race condition in the driver’s validation logic.

Once authenticated, the compromised application gains access to the Asusgio3 device, which exposes critical system functionalities including mapping arbitrary physical memory addresses into the virtual address space of the calling process, providing access to I/O port communication instructions, and enabling read/write operations to Model Specific Register (MSR) values. 

These capabilities essentially grant attackers kernel-level access to the system, allowing complete system compromise.

Risk Factors	Details
Affected Products	ASUS Armoury Crate v5.9.13.0 (AsIO3.sys driver)
Impact	Privilege escalation
Exploit Prerequisites	1. Local user access 2. Hard link creation permissions 3. Vulnerable driver installed
CVSS 3.1 Score	8.8 (High)

Patch Available

ASUS responded to the disclosure timeline appropriately, with Cisco Talos reporting the vulnerability on February 18, 2025, followed by ASUS releasing a patch on June 16, 2025. 

The vulnerability was publicly disclosed the same day as the patch release, following responsible disclosure practices. 

The vulnerability affects ASUS Armoury Crate version 5.9.13.0, and users are strongly advised to update to the latest patched version immediately.

This discovery highlights the ongoing security challenges in gaming software and the importance of proper authorization mechanisms in kernel-level drivers, particularly those managing hardware access and system-level operations.

Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access

The post ASUS Armoury Crate Vulnerability Let Attackers Escalate to System User on Windows Machine appeared first on Cyber Security News.