An issue discovered in the DeviceIoControl component in ASUS Fan_Xpert before v.10013 allows an attacker to execute arbitrary code via crafted IOCTL requests.
The vulnerability concerns improper handling of IOCTL (Input/Output Control) requests in the system driver associated with the DeviceIoControl component of the ASUS Fan_Xpert application. An attacker can send crafted IOCTL requests to the driver, leading to arbitrary code execution. The CWE-782 class (Exposed IOCTL with Insufficient Access Control) suggests that the driver exposes unsafe IOCTL operations without proper permission verification or input data validation.
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code (RCE) on the target system, potentially with elevated privileges characteristic of Windows kernel drivers. This can lead to complete system takeover, violation of data confidentiality and integrity, and loss of service availability.
Update the ASUS Fan_Xpert application to version 10013 or newer. Apply patches available from the manufacturer according to the references. Additionally, it is recommended to restrict local system access for unauthorized users and monitor IOCTL operations on hosts with ASUS software installed.
Windows systems with ASUS Fan_Xpert application installed in versions prior to v.10013.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H