CVE-2026-3428 Overview
A Download of Code Without Integrity Check vulnerability exists in the update modules of ASUS Member Center (华硕大厅) that allows a local user to achieve privilege escalation to Administrator. The vulnerability is exploited through a Time-of-check Time-of-use (TOC-TOU) race condition during the update process, where an attacker can substitute a malicious payload for a legitimate one immediately after download. The malicious payload is subsequently executed with administrative privileges when the user consents to the update installation.
Critical Impact
Local attackers with user-level access can exploit the race condition window during software updates to substitute malicious code and achieve Administrator-level privileges on affected systems.
Affected Products
- ASUS Member Center (华硕大厅) - Update Modules
Discovery Timeline
- April 16, 2026 - CVE-2026-3428 published to NVD
- April 16, 2026 - Last updated in NVD database
Technical Details for CVE-2026-3428
Vulnerability Analysis
This vulnerability combines two weakness classes to create an exploitable privilege escalation path. The primary issue is classified under CWE-367 (Time-of-check Time-of-use Race Condition), where a time gap exists between when the update module verifies the downloaded file and when it executes the file. During this window, an attacker can replace the legitimate update with a malicious payload.
The attack requires local access to the target system with at least user-level privileges. The attacker must time their file substitution precisely to occur after the integrity check completes but before the file is executed. When successful, the malicious payload inherits the elevated privileges intended for the legitimate update, as the user has already consented to administrative execution.
Root Cause
The root cause stems from insufficient integrity verification at the point of execution in the ASUS Member Center update mechanism. The update module downloads code and performs integrity validation, but there is a temporal gap between the validation check and the actual execution of the update binary. This creates a race condition window where the validated file can be swapped with an attacker-controlled payload before execution occurs.
The lack of continuous integrity verification throughout the update lifecycle—from download through execution—allows this TOC-TOU vulnerability to be exploited. Proper implementation would require re-verification immediately before execution or use of file locking mechanisms to prevent modification.
Attack Vector
The attack requires local access and follows a specific exploitation pattern. An attacker must first monitor for update activity within ASUS Member Center and identify the temporary location where update files are stored after download. When an update is initiated by a legitimate user, the attacker monitors for the integrity check to complete, then rapidly replaces the validated update file with a malicious executable. When the user confirms the update installation, the malicious payload executes with Administrator privileges instead of the legitimate update.
The attack complexity is high due to the precise timing required, and it also requires user interaction (the user must consent to the update installation). This limits the practical exploitability but does not eliminate the risk in targeted attack scenarios.
Detection Methods for CVE-2026-3428
Indicators of Compromise
- Unexpected file modifications in ASUS Member Center update staging directories
- Unusual process execution chains where ASUSMemberCenter.exe spawns unsigned or untrusted executables
- File system activity showing rapid file replacement operations in temporary update folders
Detection Strategies
- Monitor file system events for rapid file deletions and creations in ASUS update directories during update processes
- Implement behavioral analysis rules to detect race condition exploitation patterns involving update mechanisms
- Use endpoint detection to track process execution chains and flag unsigned binaries launched by trusted update processes
Monitoring Recommendations
- Enable detailed file system auditing on directories used by ASUS Member Center for update staging
- Configure alerts for any unsigned executable creation in update-related temporary directories
- Monitor for privilege escalation events that correlate with ASUS Member Center update activity
How to Mitigate CVE-2026-3428
Immediate Actions Required
- Refer to the 'Security Update for ASUS Member Center' section on the ASUS Security Advisory for official patches
- Restrict local user access to systems running ASUS Member Center until patches are applied
- Implement application whitelisting to prevent execution of unauthorized binaries in update directories
Patch Information
ASUS has published security guidance for this vulnerability. Administrators should visit the ASUS Security Advisory page and refer to the 'Security Update for ASUS Member Center' section for official patch information and updated software versions.
Workarounds
- Temporarily disable automatic updates in ASUS Member Center and perform updates only in controlled, monitored environments
- Apply restrictive NTFS permissions on update staging directories to prevent file modification by non-administrative users
- Use SentinelOne's behavioral AI to detect and block suspicious file substitution activities targeting update mechanisms
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
