Skip to main content

ASUS Business Manager EUVDEUVD-2026-41483

| CVE-2026-8921 HIGH
External Control of File Name or Path (CWE-73)
2026-07-03 ASUS GHSA-2844-p28c-wcj6
8.5
CVSS 4.0 · Vendor: ASUS
Share

Severity by source

Vendor (ASUS) PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Local authenticated low-priv user (AV:L/PR:L) sends a low-complexity tampered IPC message (AC:L) to gain SYSTEM, yielding full C/I/A impact with no scope change.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (ASUS).

CVSS VectorVendor: ASUS

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 03, 2026 - 03:01 vuln.today

DescriptionCVE.org

External Control of File Name or Path vulnerability in ASUS Business Manager allows a local user to execute arbitrary code with SYSTEM privileges via a tampered IPC message. Refer to the ' Security Update for ASUS Business Manager ' section on the ASUS Security Advisory for more information.

AnalysisAI

Local privilege escalation to SYSTEM in ASUS Business Manager lets a low-privileged local user run arbitrary code by tampering with an inter-process communication (IPC) message that the software's privileged service trusts. Because the SYSTEM-level component controls a file name or path based on attacker-influenced IPC input (CWE-73), a standard user can coerce it into loading or executing attacker-chosen content. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as local low-priv user
Delivery
Locate ASUS Business Manager IPC endpoint
Exploit
Craft tampered IPC message with controlled path
Execution
SYSTEM service acts on attacker path
Persist
Execute arbitrary code as SYSTEM
Impact
Full host compromise via privilege escalation

Vulnerability AssessmentAI

Exploitation Exploitation requires an attacker to already hold a low-privileged authenticated local account on the Windows host running ASUS Business Manager (PR:L, AV:L) and the ability to send or tamper with a message on the application's local IPC channel to the privileged service. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N) describes a local, low-complexity attack requiring only low privileges and no user interaction, with high confidentiality, integrity, and availability impact on the vulnerable system but no subsequent-system (scope) change - a classic local privilege escalation to SYSTEM rather than remote compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A logged-in standard user on a corporate laptop running ASUS Business Manager crafts or replays a malicious IPC message to the SYSTEM-level service, supplying an attacker-controlled file path. The privileged service acts on that path and executes attacker-chosen code, giving the user full SYSTEM privileges on the host. …
Remediation Update ASUS Business Manager to the fixed release listed under the 'Security Update for ASUS Business Manager' section of the ASUS Security Advisory (https://www.asus.com/security-advisory); the input does not include an exact fixed version, so obtain it directly from that advisory rather than assuming a build (No vendor-released fixed version independently confirmed from available data). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all ASUS Business Manager deployments and document versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41483 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy