What is CVE-2025-3464?

CVE-2025-3464 is an authorization bypass vulnerability with a CVSS score of 8.8 affecting ASUS Armoury Crate, the company's centralized system management software for Windows. The vulnerability stems from the AsIO3.sys driver component within Armoury Crate.

What causes the CVE-2025-3464 vulnerability?

The vulnerability exists in how the AsIO3.sys driver verifies calling applications. Instead of using operating system-level access controls, it relies on a hardcoded SHA-256 hash of AsusCertService.exe and a process ID allowlist, which can be bypassed through hard link manipulation.

Which versions of ASUS Armoury Crate are affected by CVE-2025-3464?

The vulnerability affects Armoury Crate versions between 5.9.9.0 and 6.1.18.0. Users running these versions should update immediately to the latest available version.

How can users fix the CVE-2025-3464 vulnerability?

ASUS strongly recommends that all users immediately update their Armoury Crate installations to the latest available version. Users can obtain the security update by opening Armoury Crate, navigating to Settings > Update Center > Check for Updates, then clicking Update when the new version becomes available.

Is this the first vulnerability found in ASUS Armoury Crate this year?

No, this is the second report of a similar vulnerability in ASUS Armoury Crate this year, indicating ongoing security concerns with the software's authorization mechanisms.

What is the severity level of CVE-2025-3464?

CVE-2025-3464 is classified as high severity with a CVSS score of 8.8, indicating a significant security risk that requires prompt attention and patching.

How does the hard link attack technique work in this vulnerability?

The attack involves creating a hard link that initially points to a benign application, launching it, pausing execution, then swapping the link to point to the legitimate AsusCertService.exe. This tricks the driver's hash verification process into validating the trusted binary while allowing the malicious application to run with elevated privileges.

Why is this vulnerability particularly dangerous?

This vulnerability is particularly dangerous because it grants attackers kernel-level access to critical system resources including physical memory, I/O ports, and processor registers. This level of access can lead to complete system compromise, data theft, or the installation of persistent malware that's difficult to detect and remove.

Advisory

Another flaw in ASUS Armoury Crate mainboard update system enables System-level privilege escalation

Q: What is ASUS Armoury Crate?

ASUS Armoury Crate is the company's official system control software that provides a centralized interface to control RGB lighting through Aura Sync, adjust fan curves, manage performance profiles and ASUS peripherals, as well as download drivers and firmware updates. It uses kernel drivers to access and control hardware features.

Q: What system privileges can attackers gain from CVE-2025-3464?

This bypass grants attackers extensive low-level system privileges, including direct access to physical memory, input/output ports, and model-specific registers (MSRs), effectively opening a pathway to complete operating system compromise.

published: June 17, 2025

Take action: If you are running an ASUS mainboard on your computer, update the Armory Crate software. The exploit chain is complicated, but hackers have found a way to abuse it before, so they will find a way to abuse it again.

Learn More

ASUS has patched an authorization bypass vulnerability in Armoury Crate, its centralized system management software for Windows. Armoury Crate serves as ASUS's official system control software, providing a centralized interface to control RGB lighting through Aura Sync, adjust fan curves, manage performance profiles and ASUS peripherals, as well as download drivers and firmware updates. To perform these low-level system functions and provide comprehensive system monitoring, the software suite utilizes kernel drivers to access and control hardware features.

The vulnerability is tracked as CVE-2025-3464 (CVSS score 8.8) and stems from the AsIO3.sys driver component within Armoury Crate, affecting the Asusgio3 device that the driver creates. The vulnerability exists in how the driver verifies calling applications, relying on a hardcoded SHA-256 hash of AsusCertService.exe and a process ID allowlist instead of operating system-level access controls.

An attacker can create a hard link from a benign test application to a fake executable. The attacker launches the application, pauses execution, and then swaps the hard link to point to the legitimate AsusCertService.exe binary. When the driver performs its security check by verifying the file's SHA-256 hash, it reads the now-linked trusted binary, allowing the malicious test application to bypass authorization controls and gain unauthorized access to the driver. This bypass grants the attacker extensive low-level system privileges, including direct access to physical memory, input/output ports, and model-specific registers (MSRs), effectively opening a pathway to complete operating system compromise.

The vulnerability affects Armoury Crate versions between 5.9.9.0 and 6.1.18.0. The vulnerability requires an attacker to already have some level of access to the target system through methods such as malware infection, phishing campaigns, or compromised unprivileged accounts.

This is a second report of a similar vulnerability in the ASUS Armory Crate this year.

ASUS strongly recommends that all users immediately update their Armoury Crate installations to the latest available version. Users can obtain the security update by opening the Armoury Crate application and navigating to "Settings" > "Update Center" > "Check for Updates," then clicking "Update" when the new version becomes available.

Another flaw in ASUS Armoury Crate mainboard update system enables System-level privilege escalation

Read More
Google warns of actively exploited flaw in Samsung …
Google fixes critical vulnerabilities in Chromecast devices
Google releases update for Chrome and Chromium browsers, …
Adobe releases April 2025 patches for multiple products
Anthropic Patches "ShadowPrompt" Vulnerability in Claude Chrome Extension