CRITICALπŸ‡΅πŸ‡± Wersja polska

CVE-2024-30804

CVSS 9.8v3.1pub. 2024-04-26upd. 2026-04-15

An issue discovered in the DeviceIoControl component in ASUS Fan_Xpert before v.10013 allows an attacker to execute arbitrary code via crafted IOCTL requests.

πŸ€– AI Analysis
How it works

The vulnerability concerns improper handling of IOCTL (Input/Output Control) requests in the system driver associated with the DeviceIoControl component of the ASUS Fan_Xpert application. An attacker can send crafted IOCTL requests to the driver, leading to arbitrary code execution. The CWE-782 class (Exposed IOCTL with Insufficient Access Control) suggests that the driver exposes unsafe IOCTL operations without proper permission verification or input data validation.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code (RCE) on the target system, potentially with elevated privileges characteristic of Windows kernel drivers. This can lead to complete system takeover, violation of data confidentiality and integrity, and loss of service availability.

Mitigation & patch

Update the ASUS Fan_Xpert application to version 10013 or newer. Apply patches available from the manufacturer according to the references. Additionally, it is recommended to restrict local system access for unauthorized users and monitor IOCTL operations on hosts with ASUS software installed.

Who is affected

Windows systems with ASUS Fan_Xpert application installed in versions prior to v.10013.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
πŸ”΅
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References
CVE-2024-30804 β€” CRITICAL β€” CVSS 9.8 | CVEbaza.pl