A high-severity vulnerability in ASUS Armoury Crate software could allow threat actors to escalate their privileges to SYSTEM level on Windows machines.
The security issue is tracked as CVE-2025-3464 and received a severity score of 8.8 out of 10.
It could be exploited to bypass authorization and affects the AsIO3.sys of the Armoury Crate system management software.
Armoury Crate is the official system control software for Windows from ASUS, providing a centralized interface to control RGB lighting (Aura Sync), adjust fan curves, manage performance profiles and ASUS peripherals, as well as download drivers and firmware updates.
To perform all these functions and provide low-level system monitoring, the software suite uses the kernel driver to access and control hardware features.
Cisco Talos' researcher Marcin "Icewall" Noga reported CVE-2025-3464 to the tech company.
According to a Talos advisory, the issue lies in the driver verifying callers based on a hardcoded SHA-256 hash of AsusCertService.exe and a PID allowlist, instead of using proper OS-level access controls.
Exploiting the flaw involves creating a hard link from a benign test app to a fake executable. The attacker launches the app, pauses it, and then swaps the hard link to point to AsusCertService.exe.
When the driver checks the file's SHA-256 hash, it reads the now-linked trusted binary, allowing the test app to bypass authorization and gain access to the driver.
This grants the attacker low-level system privileges, giving them direct access to physical memory, I/O ports, and model-specific registers (MSRs), opening the path to full OS compromise.
It is important to note that the attacker must already be on the system (malware infection, phishing, compromised unprivileged account) to exploit CVE-2025-3464.
However, the extensive deployment of the software on computers worldwide may represent an attack surface large enough for exploitation to become attractive.
Cisco Talos validated that CVE-2025-3464 impacts Armoury Crate version 5.9.13.0, but ASUS' bulletin notes that the flaw impacts all versions between 5.9.9.0 and 6.1.18.0.
To mitigate the security problem, it is recommended to apply the latest update by opening the Armoury Crate app and going to "Settings"> "Update Center"> "Check for Updates"> "Update."
Cisco reported the flaw to ASUS in February but no exploitation in the wild has been observed so far. However, "ASUS strongly recommends that users update their Armoury Crate installation to the latest version."
Windows kernel driver bugs that lead to local privilege escalation are popular among hackers, including ransomware actors, malware operations, and threats to government agencies.
Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Comments
PXAbstraction - 9 months ago
I would love to see one of the big tech channels that do investigations like Gamers Nexus or someone similar to try and do a deep dive investigation into motherboard/GPU control software. It's almost universally trash quality and full of dated libraries, spaghetti code and exploits.
It doesn't matter what brand you buy from, they're all terrible. The only one that's kind of alright is Sapphire TRIXX and that's only because it's very limited in what it can do and it's written as a portable application that doesn't need to be installed or keep services running. The multi-billion dollar companies selling the products that this software managed have zero excuses for this level of incompetence. Paying an experienced developer probably 1/10 the cost of their average yearly CES booth costs would probably get them a top-tier application that they could actually use the quality of as a marketing tool.
NoneRain - 9 months ago
What's called when a cancer has a cancer?
jdubya62 - 9 months ago
ASUS Lymphoma