A critical security flaw, designated as CVE-2025-59373, has been discovered in the ASUS MyASUS software, specifically within its ASUS System Control Interface component. This local privilege escalation vulnerability allows attackers with low-level access to a system to elevate their privileges to NT AUTHORITY\SYSTEM, granting full administrative control over the affected Windows machine. The issue stems from improper permissions in the restore mechanism, particularly involving a named pipe in the AsusSwitchAgent service and inadequate validation when copying files into protected system paths. This enables arbitrary code execution without requiring user interaction.
The vulnerability was publicly disclosed on November 25, 2025, by the Zero Day Initiative (ZDI), with a CVSS v3.1 base score of 7.8 (High), reflecting its local attack vector, low complexity, and high impact on confidentiality, integrity, and availability. Some analyses using CVSS v4.0 rate it at 8.5, emphasizing the ease of exploitation once initial low-privileged access is gained.
Affected Systems
• Software: All versions of ASUS System Control Interface prior to 3.1.48.0 (x64 architecture) and 4.2.48.0 (ARM architecture).
• Devices: Millions of ASUS personal computers worldwide, including laptops, desktops, NUC mini-PCs, and All-in-One systems preinstalled with MyASUS. This software is commonly bundled on ASUS hardware for managing updates, diagnostics, and hardware settings.
• Platforms: Primarily Windows-based systems; no evidence of impact on non-Windows OSes.
The flaw does not affect remote attackers directly—initial low-privileged local access (e.g., via a separate malware infection or compromised user account) is required to trigger it.
Exploitation and Impact
Exploitation is straightforward for a local attacker:
1. Gain low-privileged execution on the target (e.g., through phishing or drive-by downloads).
2. Interact with the vulnerable AsusSwitchAgent service via the named pipe or restore function to overwrite or execute files in privileged directories.
3. Escalate to SYSTEM privileges, allowing full system takeover.
Potential consequences include:
• Installation of persistent malware or backdoors.
• Theft or modification of sensitive data.
• System configuration changes, such as disabling security features.
• Lateral movement in enterprise networks, where a single compromised endpoint could lead to broader breaches.
Experts note this is particularly risky in corporate environments, as MyASUS’s widespread use amplifies the threat surface. Recent discussions on X highlight user concerns about automatic updates and the need for immediate patching.
Mitigation and Patch
ASUS has released security updates to address CVE-2025-59373:
• Update Method: The patch is delivered automatically via Windows Update. Alternatively, download it manually from the ASUS Support website (search for your device model and check under “Driver & Utility”).
• Verification: Open MyASUS, navigate to Settings > About, and confirm your System Control Interface version is at least 3.1.48.0 (x64) or 4.2.48.0 (ARM).
• Additional Steps:
• Enable automatic Windows Updates.
• Monitor for unusual system behavior and scan with antivirus tools.
• In enterprise settings, prioritize deployment via patch management systems and restrict local user privileges where possible.
ASUS officially acknowledges the issue in their Security Advisory and recommends applying the update immediately to all affected devices. No evidence of active exploitation in the wild has been reported as of November 27, 2025, but prompt action is advised given the vulnerability’s severity. For the latest details, refer to the official ASUS advisory or NVD entry.