Critical ASUS Armoury Crate Flaw (CVE-2025-3464) Allows SYSTEM-Level Privilege Escalation
Do Son 
A critical vulnerability has been identified in ASUS’s Armoury Crate software, allowing threat actors to escalate privileges to SYSTEM level on Windows devices. Designated CVE-2025-3464, the flaw has been assigned a CVSS score of 8.8.
Armoury Crate is used for managing ASUS systems and peripherals—it controls lighting, fan behavior, performance profiles, and facilitates driver and firmware updates. To perform these tasks, the application interacts with the system at the kernel level via the AsIO3.sys driver, which is precisely where the vulnerability resides.
The issue stems from the driver’s flawed method of validating access requests. Rather than relying on standard OS-level access control mechanisms, AsIO3.sys uses a hardcoded SHA-256 hash of the AsusCertService.exe executable and a list of approved process IDs (PIDs). This setup can be circumvented through a relatively straightforward substitution technique.
The attack leverages a hard link created between a benign application and a rogue executable. After launching the application, the attacker pauses its execution and replaces the link with the legitimate AsusCertService.exe. When the driver verifies the hash, it detects a trusted file and grants access. As a result, the attacker obtains SYSTEM-level privileges, including unfettered access to physical memory, I/O ports, and CPU registers—opening the door to full system compromise.
The exploit requires prior access to the target machine, typically achieved through malware infection or phishing. Nevertheless, the widespread use of Armoury Crate makes this vulnerability an appealing target for threat actors.
The flaw was discovered by Cisco Talos and reported to ASUS in February 2025. Cisco confirmed the vulnerability in Armoury Crate version 5.9.13.0, while ASUS stated that all versions from 5.9.9.0 to 6.1.18.0 are affected.
To mitigate the vulnerability, users are urged to update Armoury Crate to the latest version. This can be done within the application by navigating to Settings > Update Center > Check for Updates > Update.
Although there have been no confirmed cases of CVE-2025-3464 being exploited in the wild, ASUS emphasizes the importance of applying updates promptly. Kernel driver vulnerabilities that enable local privilege escalation have long been attractive to ransomware operators, malicious actors, and those targeting governmental infrastructures.
Donate