CVE-2026-8921
ASUS · ASUS Business Manager
An External Control of File Name or Path vulnerability in ASUS Business Manager allows a local user to execute arbitrary code with SYSTEM privileges via a tampered Inter-Process Communication (IPC) message.
Executive summary
A local privilege escalation vulnerability in ASUS Business Manager could allow a local attacker to execute arbitrary code with SYSTEM-level permissions.
Vulnerability
The software fails to properly sanitize file paths when processing IPC messages. A local user can leverage this to gain SYSTEM-level execution, essentially bypassing standard Windows security boundaries.
Business impact
With a CVSS score of 8.5, this vulnerability presents a significant risk for local privilege escalation. An attacker who has gained a low-privileged foothold on a system can escalate to SYSTEM, resulting in full machine compromise, theft of sensitive credentials, and the potential for persistent malware installation.
Remediation
Immediate Action: Identify and update all systems running ASUS Business Manager to the latest version provided by the vendor.
Proactive Monitoring: Monitor system logs for unauthorized attempts to interact with ASUS services or unexpected process execution with elevated privileges.
Compensating Controls: Implement strict application whitelisting and limit local user permissions to prevent unauthorized execution of potentially malicious IPC messages.
Exploitation status
Public Exploit Available: false
Analyst recommendation
This vulnerability is highly dangerous for multi-user environments where local access is granted to untrusted users. Organizations should prioritize updating the vulnerable ASUS software to prevent local attackers from obtaining full administrative control over the underlying operating system.