CRITICAL🇵🇱 Wersja polska

CVE-2023-5716

CVSS 9.8v3.1pub. 2024-01-19upd. 2024-11-21

ASUS Armoury Crate has a vulnerability in arbitrary file write and allows remote attackers to access or modify arbitrary files by sending specific HTTP requests without permission.

🤖 AI Analysis
How it works

The vulnerability consists of a lack of proper permission verification (CWE-306) before handling HTTP requests directed to the ASUS Armoury Crate application component. An attacker can send specific HTTP requests without authentication, which allows arbitrary reading or modification of files on the file system of the machine running the software. The lack of an access control mechanism means that any remote network entity can perform these operations.

Impact

An attacker can read confidential system or user files (breach of confidentiality), as well as write or modify arbitrary files (breach of integrity and potentially availability), which could consequently lead to complete system takeover.

Mitigation & patch

Patches available from the vendor should be applied according to the references (https://www.twcert.org.tw/tw/cp-132-7666-fffce-1.html). Until updates are applied, it is recommended to restrict network access to ports used by ASUS Armoury Crate at the firewall level and avoid running the application on systems directly exposed to untrusted networks.

Who is affected

ASUS Armoury Crate — versions indicated in the vendor's references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Asus Armoury Crate

    APP
    Asus
    < 4.1.0.8
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-26911HIGH7.8ten sam produkt

ASUS SetupAsusServices v1.0.5.1 in Asus Armoury Crate v5.3.4.0 contains an unquoted service path vulnerability...

CVE-2022-42455HIGH7.8ten sam produkt

ASUS EC Tool driver (aka d.sys) 1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb, as signed by...

CVE-2025-59374CRITICAL9.3⚠ KEVPL ✓ten sam vendor

ASUS Live Update — kompromitacja łańcucha dostaw (supply chain compromise)

CVE-2021-32030CRITICAL9.8⚠ KEVten sam vendor

The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 and Lyra Mini before 3.0.0.4_...

CVE-2025-59367CRITICAL9.3PL ✓ten sam vendor

Authentication bypass w routerach ASUS z serii DSL — nieautoryzowany dostęp zdalny