Security
Headlines
HeadlinesLatestCVEs

Headline

ASUS Control Center Express 01.06.15 Unquoted Service Path

ASUS Control Center Express version 01.06.15 suffers from an unquoted service path vulnerability.

Packet Storm
#vulnerability#windows#asus#auth
# Exploit Title: ASUS Control Center Express 01.06.15 - Unquoted Service PathPrivilege Escalation# Date: 2024-04-02# Exploit Author: Alaa Kachouh# Vendor Homepage:https://www.asus.com/campaign/ASUS-Control-Center-Express/global/# Version: Up to 01.06.15# Tested on: Windows# CVE: CVE-2024-27673===================================================================ASUS Control Center Express Version =< 01.06.15 contains an unquotedservice path which allows attackers to escalate privileges to the systemlevel.Assuming attackers have write access to C:\, the attackers can abuse theAsus service "Apro console service"/apro_console.exe which upon restartingwill invoke C:\Program.exe with SYSTEM privileges.The binary path of the service alone isn't susceptible, but upon itsinitiation, it will execute C:\program.exe as SYSTEM.Service Name: AProConsoleServicebinary impacted: apro_console.exe# If a malicious payload is inserted into C:\  and service is executed inany way, this can grant privileged access to the system and performmalicious activities.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution