Critical ASUS Armoury Crate Vulnerability Exposes Windows Systems to Privilege Escalation
A high-severity vulnerability in ASUS’s Armoury Crate software, tracked as CVE-2025-3464, could allow attackers to gain SYSTEM-level privileges on Windows machines. The flaw, discovered by researcher Marcin Noga of Cisco Talos, stems from a driver that relies on a hardcoded SHA-256 hash of AsusCertService.exe and a PID allowlist for caller verification.
Exploitation involves creating a hard link between a benign test application and a malicious executable, then redirecting the link to AsusCertService.exe to bypass security checks. Once exploited, the vulnerability grants attackers low-level access to I/O ports, physical memory, and model-specific registers, potentially leading to a full system compromise.
While no active exploitation has been reported, the issue affects ASUS Armoury Crate versions 5.9.9.0 through 6.1.18.0. ASUS has released patches via the Armoury Crate app, urging users to update immediately to mitigate the risk.
Source: https://www.scworld.com/brief/windows-privilege-escalation-possible-with-asus-armoury-crate-flaw
ASUS cybersecurity rating report: https://www.rankiteo.com/company/asus
"id": "ASU1767834403",
"linkid": "asus",
"type": "Vulnerability",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'All Windows users with ASUS '
'Armoury Crate versions between '
'5.9.9.0 and 6.1.18.0',
'industry': 'Technology/Hardware',
'name': 'ASUS',
'type': 'Company'}],
'attack_vector': 'Local',
'customer_advisories': 'All Windows users with affected versions urged to '
'update immediately',
'description': 'Attackers could achieve escalated SYSTEM privileges on '
'Windows machines through the exploitation of a high-severity '
'ASUS Armoury Crate system management software vulnerability, '
"tracked as CVE-2025-3464. The flaw stems from a driver's use "
'of hardcoded SHA-256 hash of AsusCertService.exe and a PID '
'allowlist for caller verification, which could be abused by '
'linking a benign test app to a bogus executable and later '
'replacing the hard link to redirect to AsusCertService.exe to '
'facilitate subsequent driver access. With driver access '
'enabling low-level system privileges, threat actors could '
'infiltrate I/O ports, physical memory, and model-specific '
'registers for complete operating system compromise.',
'impact': {'operational_impact': 'Complete operating system compromise '
'possible',
'systems_affected': 'Windows machines with ASUS Armoury Crate '
'versions between 5.9.9.0 and 6.1.18.0'},
'investigation_status': 'Vulnerability disclosed, no active exploitation '
'observed',
'post_incident_analysis': {'corrective_actions': 'Software update to remove '
'hardcoded hashes and '
'improve verification '
'mechanisms',
'root_causes': 'Hardcoded SHA-256 hash of '
'AsusCertService.exe and PID '
'allowlist for caller verification '
'in the driver'},
'recommendations': 'Apply the latest updates for ASUS Armoury Crate to '
'mitigate the vulnerability.',
'references': [{'source': 'BleepingComputer'},
{'source': 'Cisco Talos Advisory'}],
'response': {'containment_measures': 'Users urged to immediately apply '
'updates available within the Armoury '
'Crate app',
'remediation_measures': 'Software update to patch the '
'vulnerability'},
'title': 'ASUS Armoury Crate Privilege Escalation Vulnerability '
'(CVE-2025-3464)',
'type': 'Privilege Escalation',
'vulnerability_exploited': 'CVE-2025-3464'}