CVE-2022-38699 MEDIUM

CVE-2022-38699: ASUS Armoury Crate Service - Arbitrary File Creation via Elevation of Privilege Flaw

Vendor Asus
Product Armoury Crate Service
Weakness CWE-59
Published September 28, 2022
Last update May 21, 2025

CVSS base score

5.9/10
Attack vector Physical
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

Armoury Crate Service’s logging function has insufficient validation to check if the log file is a symbolic link. A physical attacker with general user privilege can modify the log file property to a symbolic link that points to arbitrary system file, causing the logging function to overwrite the system file and disrupt the system.

Key dates

02Disclosure timeline

September 28, 2022 CVE published
May 21, 2025 Record updated