ASUS

ASUS disclosed a critical security vulnerability (CVE-2025-59373, CVSS 8.5) in its MyASUS application, specifically within the ASUS System Control Interface Service. This flaw allows local attackers with low-level access to escalate privileges to SYSTEM-level, granting full control over affected Windows devices. Exploitation requires no user interaction and has low attack complexity, posing severe risks in corporate environments where a single compromised endpoint could enable broader network intrusion.The vulnerability affects millions of ASUS devices globally, including desktops, laptops, NUCs, and All-in-One PCs. Attackers gaining SYSTEM privileges could execute arbitrary code, install malware, steal sensitive data, or modify system configurations. While ASUS has released patches (versions 3.1.48.0 for x64 and 4.2.48.0 for ARM), unpatched systems remain at high risk of privilege-escalation attacks, potentially leading to lateral movement across enterprise networks.Organizations are urged to prioritize patching and monitor for suspicious activity, as the flaw’s high severity and ease of exploitation make it a prime target for cybercriminals.

Source: https://cyberpress.org/asus-high-severity-vulnerability/

ASUS cybersecurity rating report: https://www.rankiteo.com/company/asus

"id": "ASU2932929112625",
"linkid": "asus",
"type": "Vulnerability",
"date": "6/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"

{'affected_entities': [{'customers_affected': 'Millions of ASUS computer users '
                                              'worldwide',
                        'industry': 'Technology (Hardware/Software)',
                        'location': 'Global',
                        'name': 'ASUS',
                        'type': 'Corporation'}],
 'attack_vector': 'Local',
 'customer_advisories': 'Public notification issued with patch instructions',
 'description': 'ASUS has disclosed a critical security vulnerability '
                '(CVE-2025-59373, CVSS 8.5) in its MyASUS application, '
                'enabling local attackers to escalate privileges to '
                'SYSTEM-level access on affected Windows devices. The flaw '
                'resides in the ASUS System Control Interface Service, a core '
                'component managing hardware settings. Exploitation requires '
                'local access with low privileges but grants full system '
                'control, posing high risks for confidentiality, integrity, '
                'and availability. Patches (v3.1.48.0 for x64, v4.2.48.0 for '
                'ARM) are available via Windows Update. Organizations are '
                'urged to prioritize deployment due to the high-severity '
                'rating and potential for lateral network intrusion in '
                'corporate environments.',
 'impact': {'brand_reputation_impact': 'Potential risk due to high-severity '
                                       'vulnerability',
            'operational_impact': 'High (potential for arbitrary code '
                                  'execution, malware installation, lateral '
                                  'network movement)',
            'systems_affected': ['ASUS personal computers (desktops, laptops, '
                                 'NUC systems, All-in-One PCs) running '
                                 'MyASUS']},
 'investigation_status': 'Disclosed; Patches released',
 'post_incident_analysis': {'corrective_actions': ['Patch release (v3.1.48.0, '
                                                   'v4.2.48.0)',
                                                   'Public disclosure and '
                                                   'update advisory'],
                            'root_causes': ['Privilege escalation '
                                            'vulnerability in ASUS System '
                                            'Control Interface Service']},
 'recommendations': ['Apply security updates (v3.1.48.0 for x64, v4.2.48.0 for '
                     'ARM) immediately via Windows Update',
                     'Prioritize patch deployment in corporate environments to '
                     'mitigate lateral movement risks',
                     'Monitor systems for signs of exploitation (e.g., '
                     'unauthorized privilege escalation)',
                     'Verify installed MyASUS version via Settings > About'],
 'references': [{'source': 'ASUS Security Advisory'}],
 'response': {'communication_strategy': ['Public disclosure',
                                         'User advisory for patch '
                                         'verification'],
              'containment_measures': ['Patch deployment (ASUS System Control '
                                       'Interface v3.1.48.0 for x64, v4.2.48.0 '
                                       'for ARM)'],
              'enhanced_monitoring': 'Recommended for exploitation attempts',
              'remediation_measures': ['Urgent patch application via Windows '
                                       'Update',
                                       'Monitoring for suspicious activity']},
 'stakeholder_advisories': 'Users and organizations advised to update '
                           'immediately',
 'title': 'Critical Privilege Escalation Vulnerability in ASUS MyASUS '
          'Application (CVE-2025-59373)',
 'type': ['Vulnerability', 'Privilege Escalation'],
 'vulnerability_exploited': {'affected_component': 'ASUS System Control '
                                                   'Interface Service (MyASUS)',
                             'attack_complexity': 'Low',
                             'cve_id': 'CVE-2025-59373',
                             'cvss_score': '8.5 (High)',
                             'exploit_prerequisites': ['Local access',
                                                       'Low privileges']}}