ASUS LPE Flaw (CVE-2025-59373): High-Severity Bug Grants SYSTEM Privileges via MyASUS Component

ASUS has released critical security updates addressing a local privilege escalation (LPE) vulnerability in the ASUS System Control Interface Service, a core component used by the MyASUS application across ASUS desktop PCs, laptops, NUC systems, and All-in-One machines.

Tracked as CVE-2025-59373 with a CVSS score of 8.4 (High), the flaw allows a low-privileged user to escalate privileges to SYSTEM, the highest level on Windows, by abusing a flawed file-restore mechanism.

According to the advisory, “a local privilege escalation vulnerability exists in the restore mechanism of ASUS System Control Interface. It can be triggered when an unprivileged actor copies files without proper validation into protected system paths, potentially leading to arbitrary files being executed as SYSTEM.”

This means that any attacker with basic local access — including malware running under standard user permissions — could replace trusted files with malicious ones, gaining full control over the device.

ASUS confirms that the issue impacts all personal computers, specifically:

Desktops
Laptops
NUC systems
All-in-One (AIO) PCs

Any device running an affected version of the ASUS System Control Interface is vulnerable.

ASUS has resolved the vulnerability in the following updated releases:

ASUS System Control Interface 3.1.48.0 (x64)
ASUS System Control Interface 4.2.48.0 (ARM)

Users can verify their installed version by navigating to: MyASUS → Settings → About.

Users can obtain the update through:

Windows Update
Downloading the updated package directly from the ASUS Support site.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply