Skip to main content

ASUS System Control Interface EUVDEUVD-2026-33245

| CVE-2026-7480 HIGH
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-05-29 ASUS GHSA-9p3q-hww2-4c52
7.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 29, 2026 - 02:26 vuln.today
CVSS changed
May 29, 2026 - 02:22 NVD
7.3 (HIGH)

DescriptionCVE.org

An Incorrect Permission Assignment for Critical Resource vulnerability in ASUS System Control Interface allows a local user to elevate privileges to SYSTEM and execute arbitrary code via a crafted RPC call that bypass the validation mechanism. Refer to the 'Security Update for ASUS System Control Interface' section on the ASUS Security Advisory for more information.

AnalysisAI

Local privilege escalation in ASUS System Control Interface allows an authenticated low-privileged user to gain SYSTEM-level code execution by issuing a crafted RPC call that bypasses the component's validation logic. The flaw stems from incorrect permission assignment (CWE-732) on a critical resource exposed over RPC, and no public exploit identified at time of analysis. CVSS 4.0 scores it 7.3 with high attack complexity, indicating exploitation is non-trivial but yields full host compromise.

Technical ContextAI

ASUS System Control Interface is a Windows-based management/utility service preinstalled on many ASUS laptops and workstations to expose hardware control functions (fan, power, sensors, firmware interaction) to user-mode applications, typically via a privileged service that brokers calls over RPC. CWE-732 (Incorrect Permission Assignment for Critical Resource) here means the RPC interface or an underlying resource it exposes is reachable by low-privileged callers without enforcing an authorization check appropriate to the privileged operations it performs. Because the service itself runs as SYSTEM, any unauthenticated-to-service or insufficiently-validated RPC method that performs sensitive actions effectively grants the caller SYSTEM. The two CPE entries point to asus:asus_system_control_interface with version components left as wildcards, so the precise affected version range is not enumerated in the available data.

RemediationAI

No vendor-released patch version is identified in the provided data; remediation guidance points to the ASUS Security Advisory portal at https://www.asus.com/security-advisory/ under the 'Security Update for ASUS System Control Interface' section, which should be consulted to obtain the exact fixed build and applied through ASUS's update mechanism (MyASUS or the System Control Interface installer) across affected endpoints. As a compensating control where immediate patching is not feasible, consider uninstalling the System Control Interface component on devices that do not require ASUS hardware management features (trade-off: loss of fan, battery, and sensor management integration with MyASUS) or restricting access to the service via host-based controls and standard-user policy that limits who can reach the RPC endpoint, recognizing that any authenticated local user is in scope per the CVSS vector. EDR detection for unexpected child processes spawned by the System Control Interface service running as SYSTEM is a reasonable monitoring fallback until the patch is deployed.

Share

EUVD-2026-33245 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy