CVE-2025-9968 is a vulnerability identified in the UnifyScanner component of ASUS Armoury Crate, a software suite widely used for system monitoring and device management on ASUS hardware. The flaw is categorized under CWE-59, which involves improper link resolution before file access, commonly referred to as 'link following.' This vulnerability can be triggered by an attacker creating a specially crafted NTFS junction point (a type of symbolic link in Windows) that the UnifyScanner component follows incorrectly. When the software accesses files through this malicious junction, it may inadvertently perform operations on unintended files or directories. This behavior can be exploited to escalate privileges locally by overwriting or manipulating sensitive files that require higher privileges, thereby granting the attacker elevated access on the affected system. The vulnerability affects Armoury Crate versions prior to 6.3.4 and requires the attacker to have local low-privilege access but does not require user interaction, making it easier to exploit once local access is obtained. The CVSS 4.0 base score of 8.5 reflects a high severity due to the combination of local attack vector, low attack complexity, no required authentication, and the potential for complete compromise of confidentiality, integrity, and availability. Although no public exploits are known at this time, the vulnerability poses a significant risk to users of ASUS Armoury Crate, especially in environments where local user accounts are shared or less strictly controlled. The issue was publicly disclosed in October 2025, with ASUS providing a security advisory recommending updates to version 6.3.4 or later to remediate the flaw.

The primary impact of CVE-2025-9968 is local privilege escalation, which can allow an attacker with limited access to gain administrative or SYSTEM-level privileges on affected Windows machines running ASUS Armoury Crate. This elevation of privilege can lead to full system compromise, enabling attackers to install persistent malware, exfiltrate sensitive data, disable security controls, or disrupt system availability. Organizations relying on ASUS hardware and Armoury Crate for device management and monitoring are at risk of internal threat actors or malware leveraging this vulnerability to escalate privileges and move laterally within networks. The vulnerability undermines the confidentiality, integrity, and availability of affected systems. Given Armoury Crate's widespread use in consumer and enterprise ASUS devices, the scope of affected systems is broad. The lack of required user interaction increases the likelihood of exploitation once local access is achieved. Although no exploits are currently known in the wild, the vulnerability's characteristics make it a valuable target for attackers seeking to deepen footholds in compromised environments.

To mitigate CVE-2025-9968, organizations and users should immediately update ASUS Armoury Crate to version 6.3.4 or later once available, as this is the definitive fix provided by the vendor. Until patches are applied, restrict local user permissions to prevent untrusted users from creating junction points or manipulating file system links. Employ application whitelisting and endpoint detection solutions to monitor and block suspicious file system activities, especially the creation of NTFS junctions in directories accessed by Armoury Crate. Conduct regular audits of local user accounts and privileges to minimize the risk of unauthorized local access. Consider disabling or uninstalling Armoury Crate if it is not essential, particularly on systems with multiple users or in high-security environments. Additionally, monitor system logs for unusual file access patterns or errors related to junction points. Implement strict endpoint security policies to reduce the attack surface and prevent lateral movement by attackers who might exploit this vulnerability.