Asus patches highly risky privilege escalation vulnerability in MyAsus

On PCs and laptops from Asus, the manufacturer installs a maintenance software called MyAsus, which can download and install driver and BIOS updates, among other things. Attackers can exploit a vulnerability classified as highly risky within this software to execute arbitrary code with elevated privileges, thereby compromising vulnerable systems.

The vulnerability description explains that the privilege escalation vulnerability is located in the recovery mechanism of the Asus System Control Interface. "It can be triggered when attackers without elevated privileges copy files to protected system paths without sufficient validation, which could potentially lead to the execution of arbitrary files as SYSTEM," Asus writes there (CVE-2025-59373, CVSS4 8.5, Risk "high").

All Asus PCs potentially affected

A security advisory on the Asus website further explains that all PCs, such as desktops, laptops, NUCs, and all-in-one PCs from the company, are affected, and an update to Asus System Control Interface 3.1.48.0 (x64) or 4.2.48.0 (ARM) is available to patch the security hole. The currently running version is displayed by the MyAsus software under "Settings" – "About". The update should be available via Windows Update; additionally, Asus has made it accessible on the support website. According to another support article, MyAsus should also notify users of an available update when opened. Affected users should install the update promptly to avoid providing unnecessary attack surface to malicious actors.

Most recently, at the end of July, two security vulnerabilities in the MyAsus software were found. For instance, it contained hardcoded credentials in the form of a token, which allowed attackers access to unspecified services. In that case as well, all-in-one PCs, desktops, NUCs, and laptops were affected by the vulnerabilities in the MyAsus tool.

(dmk)