ASUS has patched a local privilege escalation (LPE) vulnerability in the ASUS Software Manager service of MyASUS, made public on June 10, 2026, 98 days after the initial private report. The flaw, tracked as CVE-2026-7480 and published via advisory ZDI-26-328, allows low-privileged code to achieve arbitrary execution with SYSTEM-level rights. However, the coordinated disclosure reveals a documentation gap: the link provided by the Zero Day Initiative for the ASUS patch points back to the ZDI advisory itself, rather than an independent vendor security bulletin.
- The CVE-2026-7480 vulnerability enables local privilege escalation from low-level rights to SYSTEM within the MyASUS ASUS Software Manager service.
- Zero Day Initiative assigned a CVSS v3.1 score of 7.8 (HIGH); the official CVE record lists a CVSS 4.0 score of 7.3 (HIGH), both placing the flaw in the high-severity tier.
- The disclosure timeline shows 98 days between the initial vendor report (March 4, 2026) and the coordinated public release (June 10, 2026).
- ASUS has issued a corrective update, but the vendor patch URL in the ZDI advisory is self-referential and does not lead to a dedicated ASUS security advisory.
Technical Analysis: Unvalidated Origins and Maximum Privileges
The ASUS Software Manager service, an integrated component of MyASUS and the ASUS System Control Interface, manages system operations requiring elevated privileges. According to advisory ZDI-26-328, "the specific flaw exists within the ASUS Software Manager service. The issue results from insufficient validation of the origin of commands." A local process with limited rights can inject commands that the service executes within the SYSTEM context—the highest authority level in Windows.
The CVE-2026-7480 record provides further mechanical detail: execution occurs "via a crafted RPC call that bypass the validation mechanism." The CWE-732 classification (Incorrect Permission Assignment for Critical Resource) indicates the problem lies in faulty permission assignments on critical resources rather than a parsing error or memory corruption. This profile makes the vulnerability particularly stable to exploit, as it does not require heap or stack manipulation, only the composition of a malformed RPC call.
Attack conditions are specific but realistic in post-compromise scenarios. An attacker must already possess the ability to execute low-privileged code on the target system—a condition typical of sandboxed malware, limited user account execution, or initial compromise via phishing. From this position, the exploit elevates privileges to the maximum level, neutralizing subsequent security barriers based on current user rights.
"This vulnerability allows local attackers to escalate privileges on affected installations of ASUS MyASUS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability." — Zero Day Initiative, advisory ZDI-26-328
The Dual Faces of Risk: CVSS 7.8 vs. 7.3
The divergence between scoring systems highlights how the same vulnerability can be perceived differently depending on the evaluation framework. Advisory ZDI-26-328 assigns a CVSS v3.1 score of 7.8 with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H: local attack, low complexity, local privileges required, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability. Conversely, the CVE-2026-7480 record utilizes the CVSS 4.0 framework, resulting in a 7.3 score with the vector CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N.
The primary difference lies in the Attack Complexity field: LOW for ZDI and HIGH for CVE. This discrepancy likely reflects differing assessments of the required target environment conditions—such as race conditions or specific service configurations—but it does not alter the overall classification. Both scores place the vulnerability in the HIGH category. For organizations, the message is clear: this flaw requires patching priority.
The 98-Day Disclosure Timeline: Navigating the Documentation Gap
The ZDI advisory timeline is explicit: private notification to the vendor on March 4, 2026, followed by a coordinated public release on June 10, 2026. This 98-day interval falls within commonly accepted coordinated disclosure terms (typically 90-120 days) but approaches the upper limit of standard practice. During this period, the vulnerability was known to the vendor and the researcher, but not to the public or end-users managing ASUS laptop fleets in corporate environments.
The expectation of a Coordinated Vulnerability Disclosure (CVD) process is that the vendor releases a patch before public disclosure, or at least clearly communicates the fix's availability. In this instance, the ZDI advisory states that "ASUS has issued an update to correct this vulnerability," yet the vendorPatchUrl field contains the address of the advisory itself. This circularity raises operational challenges: an administrator seeking an official ASUS bulletin finds no dedicated endpoint and is instead redirected back to the ZDI page. The ASUS corporate site and security advisory section do not mention CVE-2026-7480 or ZDI-26-328.
This phenomenon is not isolated. Vendors with structured security programs (ASUS is a MITRE CVE Numbering Authority, or CNA) sometimes distribute patches through automated channels—Windows Update, MyASUS Live Update, or the ASUS System Control Interface updater—without publishing individual text-based advisories. However, the lack of a direct URL makes it impossible to quickly verify which version contains the fix, which previous builds are affected, and whether a specific installation is protected.
Why It Matters
MyASUS is preinstalled on a vast majority of consumer and business ASUS laptops, creating an extensive and heterogeneous attack surface. An LPE to SYSTEM transforms any marginal initial compromise—such as sandboxed malware, a compromised standard user account, or a vulnerable corporate application—into total system control. For organizations with ASUS fleets, this represents a critical lateral movement vector in the post-infiltration phase of an attack.
The dossier does not specify which versions of MyASUS or the ASUS System Control Interface are affected, nor does it provide the build number for the fix. There is no evidence of in-the-wild exploitation prior to disclosure. The identity of the researcher who discovered the vulnerability has not been made public. The exact nature of the data or functionality exposed within the ASUS Software Manager service is not detailed beyond the description of the RPC mechanism.
The absence of an independent ASUS advisory introduces a supply chain governance issue. Patch management tools and corporate vulnerability management processes often rely on structured feeds (CVRF, CSAF, CVE Bulletins) that require persistent identifiers and canonical URLs. When the authoritative path is a loop, automation fails, forcing administrators to rely on manual verification via proprietary ASUS channels.
Unanswered Questions
How do I know if my system is patched?
The dossier does not outline a verification procedure. The patch link provided by the ZDI advisory redirects to the same advisory rather than an ASUS bulletin with instructions or version numbers. Users must check proprietary ASUS update channels (MyASUS Live Update, Windows Update, ASUS System Control Interface) without a guarantee of receiving explicit confirmation that this specific vulnerability has been addressed.
Why do the two CVSS scores differ in attack complexity?
ZDI-26-328 records Attack Complexity as LOW under CVSS v3.1, while the CVE-2026-7480 record lists Attack Complexity as HIGH under CVSS 4.0. The dossier does not explain the reason for this divergence. Possible causes include differing evaluations of environmental requirements (race conditions, specific configurations) or distinct interpretations of the same exploit scenario, but no source in the brief clarifies this point.
Can the ASUS Software Manager service be disabled as a mitigation?
The brief does not document whether disabling the service is possible, recommended, or functionally neutral. MyASUS and the ASUS System Control Interface manage system features that may depend on this service; the dossier provides no information regarding the operational impact of configuration changes.
Sources
- http://www.zerodayinitiative.com/advisories/ZDI-26-328/
- https://www.cve.org/CVERecord?id=CVE-2026-7480
- http://www.zerodayinitiative.com/advisories/
- http://nvd.nist.gov/cvss.cfm?calculator&version=3.0&vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- https://www.asus.com/
- https://www.asus.com/security-advisory
Information has been verified against the cited sources and is current as of the time of publication.