Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:H/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local access with pre-existing administrator rights drives AV:L and PR:H; low complexity, and the flaw both discloses sensitive data (C:H) and enables host DoS (A:H) with no integrity impact.
Primary rating from Vendor (ASUS).
CVSS VectorVendor: ASUS
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:H/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Allocation of Resources Without Limits and Throttling and Sensitive Information in Resource Not Removed Before Reuse in the ASUS System Control Interface driver and ASUS Business Manager allow a local administrator to disclose sensitive information via crafted IOCTL requests, which, in severe cases, may lead to a Denial of Service (DoS) on the system. Refer to the ' Security Update for ASUS System Control Interface ' section on the ASUS Security Advisory for more information.
AnalysisAI
Local information disclosure and denial of service in the ASUS System Control Interface driver (v3 and earlier) and ASUS Business Manager lets a user already holding local administrator rights issue crafted IOCTL requests to read leftover sensitive data from kernel/driver buffers and, in severe cases, exhaust unthrottled resources to crash the host. The flaw stems from missing resource limits (CWE-770) combined with reuse of memory that still contains prior sensitive contents. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local administrator privileges on the target ASUS system (CVSS PR:H) and local access (AV:L) - it cannot be performed remotely or by a standard/unprivileged user. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 base score is 8.2 (High) with vector AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:H/SI:N/SA:H, meaning local access, low complexity, but high privileges (administrator) already required - a significant limiting factor. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has already obtained local administrator privileges on an ASUS business notebook - for example after an earlier phishing-plus-privilege-escalation foothold - sends crafted IOCTL requests to the System Control Interface driver to read back stale buffer contents containing sensitive data, then repeats malformed requests to exhaust driver resources and crash the machine. No public POC is known, and low attack complexity means a knowledgeable admin-level attacker could develop one against the driver's IOCTL interface. |
| Remediation | Patch available per vendor advisory: update the ASUS System Control Interface / System Control Interface v3 driver and ASUS Business Manager to the fixed builds described in the 'Security Update for ASUS System Control Interface' section of the ASUS Security Advisory at https://www.asus.com/security-advisory/ (exact fixed version not provided in this dataset - obtain it from that advisory). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify and inventory all systems running ASUS System Control Interface driver v3 and earlier, plus any ASUS Business Manager installations, documenting affected versions and the count of users with local administrator rights. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in System Control Interface V3
View allArbitrary physical memory read/write in the ASUS System Control Interface (v3 and legacy) and ASUS Business Manager driv
Out-of-bounds memory read in ASUS System Control Interface v3, ASUS System Control Interface, and ASUS Business Manager
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44587
GHSA-jf28-f99p-265w