A critical vulnerability has been discovered in ASUS Armoury Crate, potentially allowing attackers to escalate privileges to SYSTEM level on Windows operating systems, posing a significant threat to users.
The vulnerability, identified as CVE-2025-3464, has been assigned a high severity score of 8.8 out of 10. The flaw resides within the AsIO3.sys driver, a component of the Armoury Crate software suite, which provides a centralized interface for managing ASUS devices, controlling RGB lighting, adjusting fan curves, and downloading updates. The vulnerability allows attackers to bypass authorization mechanisms and gain low-level system privileges.
Marcin “Icewall” Noga, a researcher at Cisco Talos, reported the vulnerability to ASUS. According to Cisco Talos’ advisory, the vulnerability stems from the driver’s improper verification of callers. Instead of using standard OS-level access controls, the driver relies on a hardcoded SHA-256 hash of AsusCertService.exe and a PID allowlist. Exploitation of the vulnerability involves creating a hard link from a benign application to a fake executable. The attacker then launches the application, pauses it, and swaps the hard link to point to AsusCertService.exe. This allows the attacker to bypass authorization and gain access to the driver when the driver checks the file’s SHA-256 hash, because it reads the now-linked trusted binary.
Successful exploitation grants the attacker low-level system privileges, providing direct access to physical memory, I/O ports, and model-specific registers (MSRs). This could lead to a complete compromise of the operating system. It is essential to note that attackers need existing system access to exploit CVE-2025-3464, meaning they must already have a foothold on the target system through methods such as malware infection, phishing, or compromised accounts. However, the widespread deployment of Armoury Crate makes it an attractive target.
Cisco Talos validated the vulnerability in Armoury Crate version 5.9.13.0. ASUS has stated that the vulnerability affects versions 5.9.9.0 to 6.1.18.0. The recommended mitigation is to update Armoury Crate to the latest version. Users can update by opening the Armoury Crate app and navigating to “Settings” > “Update Center” > “Check for Updates” > “Update.”
Cisco reported the vulnerability to ASUS in February. Currently, there are no reports of the vulnerability being exploited in the wild. Nevertheless, ASUS strongly advises users to update their Armoury Crate installation to the latest version to protect their systems.
