ASUS Armoury Crate Vulnerability Let Attackers Escalate to System User on Windows Machine
A critical authorization bypass vulnerability in ASUS Armoury Crate enables attackers to gain system-level privileges on Windows machines through a sophisticated hard link manipulation technique.
The vulnerability, tracked as CVE-2025-3464 with a CVSS score of 8.8, affects the popular gaming software’s AsIO3.sys driver and was patched by ASUS on June 16, 2025.
Authentication Bypass Via Hard Link Manipulation
The vulnerability uncovered by Cisco Talos researchers exploits a fundamental flaw in how the AsIO3.sys driver validates authorized applications. Under normal circumstances, the driver restricts access to only the legitimate AsusCertService.exe by comparing SHA-256 hashes of requesting processes.
.png
"ASUS Armoury Crate Vulnerability Let Attackers Escalate to System User on Windows Machine 2")
The driver performs this check using the ZwQueryInformationProcess function to retrieve the process image path, then calculates and compares SHA-256 hashes against a hardcoded value stored in the global variable g_sha256Hash.
This authentication mechanism can be circumvented using Windows hard links. The attack involves creating a hard link that initially points to a malicious executable, then switching the link destination to the legitimate AsusCertService.exe after the process starts but before the authentication check occurs.
When the driver queries the process information, it receives the path to the hard link pointing to the authorized ASUS service, effectively bypassing the security validation.
The exploitation process involves specific timing manipulation of hard links. Attackers first create a hard link using the command mklink /h core.exe TestCon2.exe, launch their malicious application, then swap the link destination with mklink /h core.exe AsusCertService.exe before the driver performs its authentication check.
This technique leverages the Time-of-Check-Time-of-Use (TOCTOU) race condition in the driver’s validation logic.
Once authenticated, the compromised application gains access to the Asusgio3 device, which exposes critical system functionalities including mapping arbitrary physical memory addresses into the virtual address space of the calling process, providing access to I/O port communication instructions, and enabling read/write operations to Model Specific Register (MSR) values.
These capabilities essentially grant attackers kernel-level access to the system, allowing complete system compromise.
| Risk Factors | Details |
| Affected Products | ASUS Armoury Crate v5.9.13.0 (AsIO3.sys driver) |
| Impact | Privilege escalation |
| Exploit Prerequisites | 1. Local user access 2. Hard link creation permissions 3. Vulnerable driver installed |
| CVSS 3.1 Score | 8.8 (High) |
Patch Available
ASUS responded to the disclosure timeline appropriately, with Cisco Talos reporting the vulnerability on February 18, 2025, followed by ASUS releasing a patch on June 16, 2025.
The vulnerability was publicly disclosed the same day as the patch release, following responsible disclosure practices.
The vulnerability affects ASUS Armoury Crate version 5.9.13.0, and users are strongly advised to update to the latest patched version immediately.
This discovery highlights the ongoing security challenges in gaming software and the importance of proper authorization mechanisms in kernel-level drivers, particularly those managing hardware access and system-level operations.
Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access
Source link
