Vulnerability in ASUS Armoury Crate Exposes Windows Admin Privileges to Potential Exploitation

A significant vulnerability within the ASUS Armoury Crate software has been identified, allowing potential exploitation by malicious actors to escalate privileges to the SYSTEM level on Windows operating systems. This vulnerability, designated as CVE-2025-3464, has been rated with a severity score of 8.8 out of 10.

The flaw is related to AsIO3.sys, a kernel driver associated with the Armoury Crate management software, which operates as a centralized interface for managing various ASUS hardware features, including RGB lighting (Aura Sync), fan controls, performance profiles, and driver updates. For effective operation, Armoury Crate requires low-level access to system hardware via this kernel driver.

The issue was reported by researcher Marcin “Icewall” Noga from Cisco Talos. According to a Talos advisory, the vulnerability stems from improper access control within the driver, which relies on a hardcoded SHA-256 hash of AsusCertService.exe alongside an allowlist of process IDs, rather than implementing standard operating system-level security controls.

Exploitation of this vulnerability involves a relatively straightforward process. An attacker can create a hard link from a legitimate application to a malicious executable. By pausing the benign application and redirecting the hard link to AsusCertService.exe, the driver subsequently verifies the SHA-256 hash of the now-linked executable—thus bypassing authorization checks. This manipulation grants the attacker low-level system privileges, enabling direct access to physical memory and hardware registers, potentially leading to a complete system compromise.

It is crucial to note that successful exploitation requires the attacker to already have access to the victim’s system, possibly through initial malware infections, phishing attacks, or access via compromised accounts. Nevertheless, the wide deployment of Armoury Crate software globally increases the vulnerability’s attractiveness to attackers.

Cisco Talos has confirmed the impact of this vulnerability on Armoury Crate version 5.9.13.0; however, ASUS’s security advisory indicates that all versions between 5.9.9.0 and 6.1.18.0 are affected. Users are urged to mitigate this risk by updating their Armoury Crate applications. To update, users should navigate to “Settings,” select “Update Center,” and then initiate a “Check for Updates.”

Reporting of this vulnerability to ASUS occurred in February, and while no active exploitation has been documented, the company strongly encourages users to update to the latest software version to enhance security.

Kernel driver vulnerabilities leading to local privilege escalation are frequently targeted by cybercriminals, including ransomware groups, malware developers, and entities intending to compromise sensitive government systems. Such weaknesses represent a critical area for heightened vigilance and proactive mitigation strategies within organizational security frameworks.