FKIE_CVE-2025-12793

Vulnerability from fkie_nvd - Published: 2026-01-06 03:15 - Updated: 2026-06-17 08:32
Severity
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
An uncontrolled DLL loading path vulnerability exists in AsusSoftwareManagerAgent. A local attacker may influence the application to load a DLL from an attacker-controlled location, potentially resulting in arbitrary code execution. Refer to the ' Security Update for MyASUS' section on the ASUS Security Advisory for more information.
References
54bf65a7-a193-42d2-b1ba-8e150d3c35e1https://www.asus.com/security-advisoryVendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0https://www.asus.com/security-advisoryVendor Advisory
Impacted products
Vendor Product Version
asus myasus *
asus myasus *
To clipboard 

{
  "affected": [
    {
      "affectedData": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit"
          ],
          "product": "ASCI",
          "vendor": "ASUS",
          "versions": [
            {
              "status": "affected",
              "version": "Before v3.1.49.0"
            },
            {
              "status": "affected",
              "version": "Before v1.1.37.0"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "ARM"
          ],
          "product": "ASCI",
          "vendor": "ASUS",
          "versions": [
            {
              "status": "affected",
              "version": "Before v3.2.50.0"
            }
          ]
        }
      ],
      "source": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:asus:myasus:*:*:*:*:*:*:x64:*",
              "matchCriteriaId": "B272677A-2AF9-4ECE-92E6-393C1227AF78",
              "versionEndExcluding": "4.0.52.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:asus:myasus:*:*:*:*:*:*:arm64:*",
              "matchCriteriaId": "1C177A8B-ED83-42D0-914E-90CF89FBA787",
              "versionEndExcluding": "4.2.50.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An uncontrolled DLL loading path vulnerability exists in AsusSoftwareManagerAgent. A local attacker may influence the application to load a DLL from an attacker-controlled location, potentially resulting in arbitrary code execution.\nRefer to the \u0027\n\nSecurity Update for MyASUS\u0027 section on the ASUS Security Advisory for more information."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad de ruta de carga de DLL no controlada en AsusSoftwareManagerAgent. Un atacante local puede influir en la aplicaci\u00f3n para que cargue una DLL desde una ubicaci\u00f3n controlada por el atacante, lo que podr\u00eda resultar en ejecuci\u00f3n de c\u00f3digo arbitrario.\nConsulte la secci\u00f3n \u0027Security Update for MyASUS\u0027 en el Aviso de Seguridad de ASUS para m\u00e1s informaci\u00f3n."
    }
  ],
  "id": "CVE-2025-12793",
  "lastModified": "2026-06-17T08:32:58.067",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.5,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2025-12793",
          "options": [
            {
              "exploitation": "poc"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "total"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-01-06T14:20:04.567403Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-01-06T03:15:41.120",
  "references": [
    {
      "source": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.asus.com/security-advisory"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.asus.com/security-advisory"
    }
  ],
  "sourceIdentifier": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-426"
        }
      ],
      "source": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.