An incorrect permission assignment in the ASUS Business System Control Interface driver permits an unprivileged local user to craft an IOCTL request that results in unauthorized access to sensitive hardware resources and kernel information disclosure. The vulnerability manifests as an Access Control failure (CWE-732) where the driver fails to verify the caller's privileges before performing privileged operations. In practice, a local attacker could read kernel memory or sensitive device registers, potentially leaking confidential data without achieving remote code execution or system-wide compromise.

The vulnerability affects the ASUS Business System Control Interface product from ASUS. Specific affected versions are not listed in the CVE data; therefore, all versions of the driver may be at risk unless an update is applied.

The CVSS score of 6.8 reflects a moderate severity, with the main risks including confidentiality impact and limited integrity impact. EPSS shows a probability of exploitation of less than 1%, indicating low likelihood of discovery and use at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred as local, requiring the attacker to be able to execute code on the same machine and have privileges to send IOCTL requests; thus, remote exploitation is not possible based on the information provided.