Severity by source
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A Download of Code Without Integrity Check vulnerability in the update modules in ASUS Member Center(华硕大厅) allows a local user to achieve privilege escalation to Administrator via exploitation of a Time-of-check Time-of-use (TOC-TOU) during the update process, where an unexpected payload is substituted for a legitimate one immediately after download, and subsequently executed with administrative privileges upon user consent. Refer to the 'Security Update for ASUS Member Center' section on the ASUS Security Advisory for more information.
AnalysisAI
Privilege escalation in ASUS Member Center (华硕大厅) versions 1.6.6.4 and earlier allows authenticated local users to achieve Administrator-level privilege escalation by exploiting a Time-of-check Time-of-use (TOC-TOU) race condition during the update process. An attacker can substitute a malicious payload for the legitimate downloaded update immediately after integrity verification completes but before execution, causing the compromised code to run with administrative privileges upon user consent. CVSS 5.4 reflects the requirement for local access, user interaction, and elevated (but non-Administrator) initial privileges; however, the vulnerability achieves full privilege escalation to Administrator with moderate technical difficulty.
Technical ContextAI
The vulnerability exists in the update mechanism of ASUS Member Center, a Windows application bundled on ASUS systems. The root cause is CWE-494 (Download of Code Without Integrity Check), manifesting as a Time-of-check Time-of-use (TOCTOU) race condition. The update module downloads code and performs integrity validation (likely hash or signature verification), but a window exists between validation completion and code execution during which an attacker with local file-system access can replace the validated file with malicious content. When the update executes with administrative privileges (by virtue of User Access Control elevation or a privileged service), the attacker's payload runs at that privilege level. CPE cpe:2.3:a:asus:member_center(华硕大厅):*:*:*:*:*:*:*:* identifies the affected product family across all versions up to and including 1.6.6.4.
RemediationAI
Upgrade ASUS Member Center to version 1.6.6.5 or later (exact patched version must be confirmed in the ASUS Security Advisory referenced at https://www.asus.com/security-advisory/). Users should not rely on workarounds because the vulnerability is in the core update mechanism; attempting to disable updates is impractical and leaves systems exposed to other vulnerabilities addressed in future ASUS updates. Alternatively, on shared or multi-user systems, temporarily restrict write permissions to the update cache directory (typically %LocalAppData%\ASUS or %ProgramData%\ASUS) to non-privileged users until the patch is deployed, preventing attackers from modifying files during the validation window; however, this may interfere with the update process and is not a permanent mitigation. For IT administrators managing ASUS systems across an organization, prioritize patching ASUS Member Center on systems with multiple local user accounts or shared access, as this increases the likelihood of a local attacker being present. Patch testing and deployment should be coordinated with ASUS support if the exact patched version is not immediately clear from the advisory.
Same weakness CWE-494 – Download of Code Without Integrity Check
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23158
GHSA-49h6-4qj3-4f42