Privilege Escalation Vulnerability in MyAsus

A high-risk security vulnerability has been discovered in MyAsus, the support tool for computers from the manufacturer Asus. It allows attackers to inject arbitrary code that is executed with the privileges of MyAsus, thereby enabling them to escalate their privileges within the system.

In the vulnerability description, Asus explains that there is a vulnerability in the “AsusSoftwareManagerAgent” of the type “uncontrolled DLL search path”. Local attackers can trick the app into loading a manipulated DLL from a location controlled by the attackers, leading to arbitrary code execution (CVE-2025-12793, CVSS4 8.5, Risk “high”). The MyAsus support tool is pre-installed on various Asus computers by default.

Asus has also added the new entry for MyAsus to its security advisories webpage. According to this, MyAsus is available for download for all Asus PCs, from desktops and laptops to NUCs and all-in-one PCs. The fixes are included in MyAsus starting from version 4.0.52.0 for x64 CPUs and 4.2.50.0 for ARM processors.

Prompt Update Recommended

The current version can be downloaded from the Asus website. However, this redirects to the Microsoft Store, which then handles the installation appropriately for the platform and through which updates can be distributed. Asus also states in the security advisory that opening the MyAsus tool with an active internet connection should prompt the update.

At the end of November, Asus was already in the news for a high-risk security vulnerability in MyAsus. That too was a vulnerability that allowed attackers to escalate their privileges within the system. However, it was located in the recovery mechanism of the Asus System Control Interface.

(dmk)