A critical security vulnerability in ASUS Armoury Crate software has been discovered that allows attackers to gain complete system control on Windows machines through a sophisticated hard link exploitation technique.
The vulnerability, designated CVE-2025-3464 with a high CVSS score of 8.8, affects the AsIO3.sys driver component and enables unauthorized users to bypass authentication mechanisms, ultimately providing pathways to privilege escalation and full system compromise.
Cisco Talos researchers have identified a serious authorization bypass vulnerability in ASUS Armoury Crate version 5.9.13.0, the centralized software application used by millions of gamers to manage ASUS hardware components and peripherals.
The vulnerability lies within the AsIO3.sys driver, which creates a device called Asusgio3 that implements its own authentication mechanism to control access to critical system functions.
Under normal circumstances, only the AsusCertService.exe service and processes specifically added to an allowed list can obtain handles to the Asusgio3 device.
The driver performs SHA-256 hash verification to ensure that only legitimate ASUS components can access its functionality.
However, researchers discovered that this security model can be completely circumvented through a carefully crafted hard link attack.
ASUS Armoury Crate Vulnerability
The exploitation technique involves creating hard links to manipulate the driver’s file verification process.
The vulnerability affects any Windows machine running the vulnerable version of ASUS Armoury Crate, potentially impacting millions of gaming systems worldwide.
Attackers first create a hard link pointing to their malicious application, then swap the link destination to point to the legitimate AsusCertService.exe file while the malicious application is running.
When the driver’s authentication mechanism queries the process information using ZwQueryInformationProcess, it receives the path to the hard link pointing to the ASUS service, causing the GetFileContent function to read the legitimate service’s content and approve the authentication.
This timing-based attack successfully tricks the driver into believing that the malicious application is actually the trusted ASUS service.
The researchers demonstrated this technique in their proof-of-concept, showing how they could obtain a valid handle to the protected device despite running unauthorized code.
The simplicity of this attack method makes it particularly concerning, as it requires minimal technical expertise to execute once the technique is understood.
Security Implications
Once attackers bypass the authentication mechanism, they gain access to numerous critical system capabilities that pose severe security risks.
ASUS released a patch on June 16, 2025, approximately four months after Cisco Talos disclosed the vulnerability in February.
The compromised driver exposes functionality including mapping any physical memory address into the virtual address space of the calling process, providing access to input/output port communications, and enabling read/write operations to Model Specific Register (MSR) values.
These capabilities effectively provide attackers with kernel-level access to the system, enabling complete privilege escalation and system takeover.
Users are strongly advised to update their Armoury Crate installations immediately to prevent potential exploitation.
This incident highlights the critical importance of proper authentication mechanisms in device drivers and demonstrates how seemingly secure hash-based verification systems can be undermined through creative attack vectors involving file system features like hard links.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
