CVE-2022-26668 – ASUS Control Center API has broken access contr... (How to Fix)

Q: What is the severity of CVE-2022-26668?

CVE-2022-26668 has a CVSS score of 7.3 (HIGH). ASUS Control Center API has broken access control allowing unauthenticated remote attackers to call privileged API functions. This can lead to partial system operations or service disruption. Affects systems running vulnerable ASUS Control Center software.

📋 TL;DR

ASUS Control Center API has broken access control allowing unauthenticated remote attackers to call privileged API functions. This can lead to partial system operations or service disruption. Affects systems running vulnerable ASUS Control Center software.

💻 Affected Systems

Products:

ASUS Control Center

Versions: Specific versions not detailed in provided references, but likely multiple versions before patched release.

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects ASUS Control Center installations on Windows systems. Exact version ranges should be verified from vendor advisory.

📦 What is this software?

Control Center by Asus

View all CVEs affecting Control Center →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthenticated attacker gains administrative control over affected systems, executes arbitrary commands, disrupts critical services, or manipulates system configurations.

🟠

Likely Case

Attackers perform unauthorized system operations, disrupt services, or manipulate configurations without authentication.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to vulnerable API endpoints.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation possible if API is exposed to internet.

🏢 Internal Only: MEDIUM - Internal attackers can exploit without credentials, but requires network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Direct API calls without authentication required. No public exploit code identified in provided references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check ASUS advisory for specific patched version

Vendor Advisory: https://www.twcert.org.tw/tw/cp-132-6055-c6500-1.html

Restart Required: Yes

Instructions:

1. Visit ASUS support website
2. Download latest ASUS Control Center update
3. Install update following vendor instructions
4. Restart system

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to ASUS Control Center API endpoints

Use firewall rules to block external access to ASUS Control Center ports

Disable Unused Service

windows

Temporarily disable ASUS Control Center if not required

sc stop "ASUS Control Center Service"
sc config "ASUS Control Center Service" start= disabled

🧯 If You Can't Patch

Implement strict network access controls to isolate affected systems
Monitor for unauthorized API calls to ASUS Control Center endpoints

🔍 How to Verify

Check if Vulnerable:

Check ASUS Control Center version against vendor advisory. Test if unauthenticated API calls to privileged endpoints succeed.

Check Version:

Check ASUS Control Center About section or installed programs list

Verify Fix Applied:

Verify ASUS Control Center is updated to patched version. Test that unauthenticated API calls now fail.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated API calls to ASUS Control Center
Unexpected system configuration changes
Service disruption events

Network Indicators:

Unusual traffic to ASUS Control Center API ports from unauthorized sources

SIEM Query:

source_ip NOT IN authorized_list AND destination_port IN (ASUS_Control_Center_ports)

📊 Metadata

CVE ID: CVE-2022-26668

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-269

Published: June 20, 2022

Last Updated: November 21, 2024

🔗 References

https://www.twcert.org.tw/tw/cp-132-6055-c6500-1.html Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-6055-c6500-1.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26668, you might also want to check these: