Description
An Incorrect Permission Assignment for Critical Resource vulnerability in ASUS System Control Interface allows a local user to elevate privileges to SYSTEM and execute arbitrary code via a crafted RPC call that bypass the validation mechanism.
Refer to the 'Security Update for ASUS System Control Interface' section on the ASUS Security Advisory for more information.
Published: 2026-05-29
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An incorrectly assigned permission allows local users to elevate to SYSTEM through a crafted RPC call, leading to arbitrary code execution. This flaw stems from improper permission checks, classified as CWE-732. The consequence is that a local attacker can gain full control of the affected system, compromising confidentiality, integrity, and availability.

Affected Systems

The flaw is present in ASUS System Control Interface, as identified in the ASUS Security Advisory. No specific version range is enumerated in the advisory, so all deployments of the product may be affected until the vendor issues a fix.

Risk and Exploitability

The CVSS score of 7.3 signals a high-risk vulnerability requiring prompt remediation. The EPSS score is currently unavailable, and the vulnerability is not listed in CISA’s KEV catalog; thus the exploitation probability is uncertain but the local attacker can execute privileged code. Immediate patching or disabling the vulnerable RPC endpoint is recommended to mitigate the risk.

Generated by OpenCVE AI on May 29, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the ASUS security update for System Control Interface as detailed in the Security Advisory.
  • Remove or restrict any local accounts that have unnecessary access to the System Control Interface and disable unused RPC services to reduce attack surface.
  • Monitor system logs for unauthorized RPC activity to detect potential exploitation attempts.

Generated by OpenCVE AI on May 29, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.asus.com/security-advisory/ cve-icon cve-icon
History

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 04:45:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Incorrect Permission in ASUS System Control Interface

Fri, 29 May 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Asus
Asus asus System Control Interface
Vendors & Products Asus
Asus asus System Control Interface

Fri, 29 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description An Incorrect Permission Assignment for Critical Resource vulnerability in ASUS System Control Interface allows a local user to elevate privileges to SYSTEM and execute arbitrary code via a crafted RPC call that bypass the validation mechanism. Refer to the 'Security Update for ASUS System Control Interface' section on the ASUS Security Advisory for more information.
Weaknesses CWE-732
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Asus Asus System Control Interface
cve-icon MITRE

Status: PUBLISHED

Assigner: ASUS

Published:

Updated: 2026-05-29T16:24:56.103Z

Reserved: 2026-04-30T02:33:01.096Z

Link: CVE-2026-7480

cve-icon Vulnrichment

Updated: 2026-05-29T16:24:49.964Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T02:16:17.223

Modified: 2026-05-29T14:46:09.837

Link: CVE-2026-7480

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T04:30:27Z

Weaknesses