Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-3428

CVE-2026-3428: ASUS Member Center Privilege Escalation

CVE-2026-3428 is a privilege escalation vulnerability in ASUS Member Center that exploits a TOC-TOU flaw during updates to execute malicious code with admin privileges. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-3428 Overview

A Download of Code Without Integrity Check vulnerability exists in the update modules of ASUS Member Center (华硕大厅) that allows a local user to achieve privilege escalation to Administrator. The vulnerability is exploited through a Time-of-check Time-of-use (TOC-TOU) race condition during the update process, where an attacker can substitute a malicious payload for a legitimate one immediately after download. The malicious payload is subsequently executed with administrative privileges when the user consents to the update installation.

Critical Impact

Local attackers with user-level access can exploit the race condition window during software updates to substitute malicious code and achieve Administrator-level privileges on affected systems.

Affected Products

  • ASUS Member Center (华硕大厅) - Update Modules

Discovery Timeline

  • April 16, 2026 - CVE-2026-3428 published to NVD
  • April 16, 2026 - Last updated in NVD database

Technical Details for CVE-2026-3428

Vulnerability Analysis

This vulnerability combines two weakness classes to create an exploitable privilege escalation path. The primary issue is classified under CWE-367 (Time-of-check Time-of-use Race Condition), where a time gap exists between when the update module verifies the downloaded file and when it executes the file. During this window, an attacker can replace the legitimate update with a malicious payload.

The attack requires local access to the target system with at least user-level privileges. The attacker must time their file substitution precisely to occur after the integrity check completes but before the file is executed. When successful, the malicious payload inherits the elevated privileges intended for the legitimate update, as the user has already consented to administrative execution.

Root Cause

The root cause stems from insufficient integrity verification at the point of execution in the ASUS Member Center update mechanism. The update module downloads code and performs integrity validation, but there is a temporal gap between the validation check and the actual execution of the update binary. This creates a race condition window where the validated file can be swapped with an attacker-controlled payload before execution occurs.

The lack of continuous integrity verification throughout the update lifecycle—from download through execution—allows this TOC-TOU vulnerability to be exploited. Proper implementation would require re-verification immediately before execution or use of file locking mechanisms to prevent modification.

Attack Vector

The attack requires local access and follows a specific exploitation pattern. An attacker must first monitor for update activity within ASUS Member Center and identify the temporary location where update files are stored after download. When an update is initiated by a legitimate user, the attacker monitors for the integrity check to complete, then rapidly replaces the validated update file with a malicious executable. When the user confirms the update installation, the malicious payload executes with Administrator privileges instead of the legitimate update.

The attack complexity is high due to the precise timing required, and it also requires user interaction (the user must consent to the update installation). This limits the practical exploitability but does not eliminate the risk in targeted attack scenarios.

Detection Methods for CVE-2026-3428

Indicators of Compromise

  • Unexpected file modifications in ASUS Member Center update staging directories
  • Unusual process execution chains where ASUSMemberCenter.exe spawns unsigned or untrusted executables
  • File system activity showing rapid file replacement operations in temporary update folders

Detection Strategies

  • Monitor file system events for rapid file deletions and creations in ASUS update directories during update processes
  • Implement behavioral analysis rules to detect race condition exploitation patterns involving update mechanisms
  • Use endpoint detection to track process execution chains and flag unsigned binaries launched by trusted update processes

Monitoring Recommendations

  • Enable detailed file system auditing on directories used by ASUS Member Center for update staging
  • Configure alerts for any unsigned executable creation in update-related temporary directories
  • Monitor for privilege escalation events that correlate with ASUS Member Center update activity

How to Mitigate CVE-2026-3428

Immediate Actions Required

  • Refer to the 'Security Update for ASUS Member Center' section on the ASUS Security Advisory for official patches
  • Restrict local user access to systems running ASUS Member Center until patches are applied
  • Implement application whitelisting to prevent execution of unauthorized binaries in update directories

Patch Information

ASUS has published security guidance for this vulnerability. Administrators should visit the ASUS Security Advisory page and refer to the 'Security Update for ASUS Member Center' section for official patch information and updated software versions.

Workarounds

  • Temporarily disable automatic updates in ASUS Member Center and perform updates only in controlled, monitored environments
  • Apply restrictive NTFS permissions on update staging directories to prevent file modification by non-administrative users
  • Use SentinelOne's behavioral AI to detect and block suspicious file substitution activities targeting update mechanisms

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne