CVE-2026-3428: CWE-494 Download of Code Without Integrity Check in ASUS Member Center(华硕大厅)
A Download of Code Without Integrity Check vulnerability in the update modules in ASUS Member Center(华硕大厅) allows a local user to achieve privilege escalation to Administrator via exploitation of a Time-of-check Time-of-use (TOC-TOU) during the update process, where an unexpected payload is substituted for a legitimate one immediately after download, and subsequently executed with administrative privileges upon user consent. Refer to the 'Security Update for ASUS Member Center' section on the ASUS Security Advisory for more information.
AI Analysis
Technical Summary
This vulnerability arises from the lack of integrity verification on code downloaded during the update process of ASUS Member Center (华硕大厅). A local attacker can exploit a TOC-TOU race condition to replace the legitimate update payload with a malicious one after download but before execution. Because the update process runs with administrative privileges and requires user consent, the attacker can escalate privileges to Administrator by tricking the system into executing the substituted payload. The affected versions are 1.6.6.4 and earlier. The CVSS 4.0 vector indicates local attack vector, high attack complexity, partial user interaction, and partial impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation allows a local user with limited privileges to escalate to Administrator privileges on the affected system. This can lead to full control over the system, including installation of malicious software or modification of system settings. The vulnerability does not appear to be exploitable remotely and requires user interaction. There are no known exploits in the wild currently.
Mitigation Recommendations
Patch status is not yet confirmed — check the ASUS Security Advisory for current remediation guidance. Until an official fix is released, users should exercise caution when applying updates via ASUS Member Center and avoid running update processes from untrusted environments. Monitoring for updates from ASUS is recommended to apply any forthcoming patches promptly.
CVE-2026-3428: CWE-494 Download of Code Without Integrity Check in ASUS Member Center(华硕大厅)
Description
A Download of Code Without Integrity Check vulnerability in the update modules in ASUS Member Center(华硕大厅) allows a local user to achieve privilege escalation to Administrator via exploitation of a Time-of-check Time-of-use (TOC-TOU) during the update process, where an unexpected payload is substituted for a legitimate one immediately after download, and subsequently executed with administrative privileges upon user consent. Refer to the 'Security Update for ASUS Member Center' section on the ASUS Security Advisory for more information.
CVSS v4.0
Score 5.4medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability arises from the lack of integrity verification on code downloaded during the update process of ASUS Member Center (华硕大厅). A local attacker can exploit a TOC-TOU race condition to replace the legitimate update payload with a malicious one after download but before execution. Because the update process runs with administrative privileges and requires user consent, the attacker can escalate privileges to Administrator by tricking the system into executing the substituted payload. The affected versions are 1.6.6.4 and earlier. The CVSS 4.0 vector indicates local attack vector, high attack complexity, partial user interaction, and partial impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation allows a local user with limited privileges to escalate to Administrator privileges on the affected system. This can lead to full control over the system, including installation of malicious software or modification of system settings. The vulnerability does not appear to be exploitable remotely and requires user interaction. There are no known exploits in the wild currently.
Mitigation Recommendations
Patch status is not yet confirmed — check the ASUS Security Advisory for current remediation guidance. Until an official fix is released, users should exercise caution when applying updates via ASUS Member Center and avoid running update processes from untrusted environments. Monitoring for updates from ASUS is recommended to apply any forthcoming patches promptly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- ASUS
- Date Reserved
- 2026-03-02T09:30:08.780Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e04d9c82d89c981f080c0b
Added to database: 4/16/2026, 2:46:52 AM
Last enriched: 4/16/2026, 3:02:41 AM
Last updated: 5/31/2026, 1:56:51 AM
Views: 64
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.