Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-11901

CVE-2025-11901: ASUS Motherboards DoS Vulnerability

CVE-2025-11901 is a denial-of-service flaw in ASUS motherboards with Intel chipsets that allows uncontrolled resource consumption via physical access. This post covers technical details, affected systems, and mitigation.

Published:

CVE-2025-11901 Overview

CVE-2025-11901 is an uncontrolled resource consumption vulnerability affecting certain ASUS motherboards built on Intel B460, B560, B660, B760, H410, H510, H610, H470, Z590, Z690, Z790, W480, and W680 series chipsets. The flaw is tracked under [CWE-284] (Improper Access Control) and requires physical access to internal expansion slots. An attacker who installs a specially crafted hardware device along with a supporting software utility can trigger uncontrolled resource consumption. The condition increases the risk of unauthorized Direct Memory Access (DMA) to system memory, exposing the platform to confidentiality, integrity, and availability impact at the firmware level.

Critical Impact

Successful exploitation can enable unauthorized DMA, allowing an attacker with physical access to read or modify system memory outside of operating system controls.

Affected Products

  • ASUS motherboards using Intel B460, B560, B660, B760 chipsets
  • ASUS motherboards using Intel H410, H510, H610, H470 chipsets
  • ASUS motherboards using Intel Z590, Z690, Z790, W480, W680 chipsets

Discovery Timeline

  • 2025-12-17 - CVE-2025-11901 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-11901

Vulnerability Analysis

The vulnerability resides in UEFI firmware shipped with affected ASUS motherboards. Improper access control over platform resources allows a malicious peripheral connected to an internal expansion slot to consume resources in an uncontrolled manner. This condition undermines the protections that normally restrict device-initiated memory transactions. As a result, a rogue device can perform DMA reads and writes against host memory regions that should remain isolated.

DMA attacks bypass operating system memory protections because DMA-capable devices communicate directly with system RAM through the platform's I/O fabric. When firmware fails to enforce IOMMU or VT-d isolation policies consistently, an attached device can target kernel memory, credential stores, or disk encryption keys held in RAM. The classification under [CWE-284] reflects the underlying access control weakness rather than a memory corruption primitive.

Root Cause

The root cause is improper enforcement of access controls in the platform firmware governing expansion slot devices. Firmware logic does not adequately constrain resource allocation or DMA remapping for devices attached to internal slots such as PCIe or M.2. This allows an attacker-controlled device to operate outside the intended DMA isolation boundary established by the chipset.

Attack Vector

Exploitation requires physical access to the target system to install a crafted hardware device into an internal expansion slot. The attacker also deploys a supporting software utility on the host that coordinates with the malicious device. Once attached, the device can issue DMA requests that the firmware fails to constrain, gaining the ability to read or modify host memory. This is consistent with the CVSS attack vector of Physical and the lack of required privileges or user interaction beyond device installation.

No verified public exploit code is available. Technical details are described in the ASUS Security Advisory.

Detection Methods for CVE-2025-11901

Indicators of Compromise

  • Unexpected PCIe, M.2, or other expansion devices physically present in chassis inventory audits.
  • Firmware event logs showing unusual device enumeration, resource reallocation, or IOMMU configuration changes during boot.
  • Operating system reports of new DMA-capable devices appearing outside scheduled maintenance windows.

Detection Strategies

  • Compare current PCIe device topology against a known-good hardware baseline using lspci -tv on Linux or Get-PnpDevice on Windows.
  • Enable and review UEFI firmware audit logs for resource allocation anomalies tied to expansion slots.
  • Monitor host telemetry for installation of unsigned or unexpected kernel drivers that accompany rogue DMA devices.

Monitoring Recommendations

  • Track chassis intrusion sensor events through platform management tooling and forward them to centralized logging.
  • Alert on driver load events and process executions associated with unknown vendor utilities that interact with low-level device interfaces.
  • Periodically validate that IOMMU or Intel VT-d is enabled and that DMA protection settings remain enforced after firmware updates.

How to Mitigate CVE-2025-11901

Immediate Actions Required

  • Apply the UEFI firmware update referenced in the ASUS Security Advisory for each affected motherboard model.
  • Inventory deployed ASUS systems against the affected chipset list to scope remediation accurately.
  • Enforce physical security controls including chassis locks, tamper-evident seals, and restricted data center access.

Patch Information

ASUS has published guidance under the "Security Update for UEFI firmware" section of the ASUS Security Advisory. Administrators should download the BIOS or UEFI update specific to their motherboard model and apply it through the vendor-supported update procedure. Validate firmware version strings after the update completes to confirm successful remediation.

Workarounds

  • Enable Intel VT-d and operating system kernel DMA protection where supported to restrict unauthorized DMA from attached devices.
  • Disable unused PCIe, M.2, and expansion slots in UEFI Setup to reduce the attack surface available to a physically present adversary.
  • Restrict administrative access required to install vendor utilities and block execution of unsigned drivers via application control policies.
bash
# Verify IOMMU/VT-d status on Linux
dmesg | grep -i -e DMAR -e IOMMU
# Confirm kernel DMA protection on Windows (PowerShell)
Get-CimInstance -Namespace root\Microsoft\Windows\DeviceGuard -ClassName Win32_DeviceGuard

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.