Zero Day Initiative Advises on ASUS Business Manager Privilege Escalation Vulnerability
A local privilege escalation vulnerability, CVE-2026-7480, affects ASUS Business Manager, allowing attackers with low-privileged code execution to gain higher privileges.
The Zero Day Initiative (ZDI) has disclosed a critical local privilege escalation vulnerability, identified as ZDI-26-328 and cataloged under CVE-2026-7480, affecting ASUS Business Manager. This flaw, assigned a CVSS score of 7.8, enables attackers who have already gained low-privileged access to a target system to escalate their privileges to SYSTEM level.
The vulnerability resides within the ASUS Business Manager Service and stems from an issue with client-side authentication. By exploiting this weakness, an attacker can execute arbitrary code with elevated permissions, potentially leading to a full system compromise. The specific technical details indicate that the flaw is exploitable by an attacker who can already run code on the affected machine, meaning it is not a remote code execution vulnerability but rather a post-exploitation privilege escalation.
ASUS has acknowledged the vulnerability and has released an update to address it. The company has provided a security advisory detailing the fix, which is available on their official website. Users of ASUS Business Manager are strongly advised to apply the available patch as soon as possible to mitigate the risk of exploitation.
The disclosure timeline indicates that the vulnerability was initially reported to ASUS on March 25th, 2026. Following a coordinated disclosure process, ZDI published the advisory on June 4th, 2026, with an update to the advisory also occurring on the same day. This timeline suggests a typical responsible disclosure period, allowing the vendor sufficient time to develop and release a patch.
The discovery and reporting of this vulnerability are credited to Gu YongZeng, who operates under the handle @0x0dee. The Zero Day Initiative, a program run by Trend Micro, plays a crucial role in discovering and facilitating the responsible disclosure of security vulnerabilities, working with vendors to ensure patches are available before public release.
This vulnerability highlights the ongoing challenge of securing business management software, which often handles sensitive company data and configurations. Privilege escalation flaws are particularly dangerous as they can turn a limited breach into a full system takeover, allowing attackers to move laterally within a network or exfiltrate critical information.
Organizations utilizing ASUS Business Manager should prioritize the application of the security update provided by ASUS. Regular patching and diligent security practices are essential to protect against such threats. The CVSS score of 7.8 indicates a high severity, underscoring the importance of prompt remediation.
Further technical details and the patch can be found via the official ASUS security advisory. The Zero Day Initiative's advisory provides a concise overview of the vulnerability, its impact, and the affected product.