Local Privilege Escalation in ASUS Business Manager (CVE‑2026‑7480) Threatens Enterprise Admin Controls
What It Is – A client‑side authentication flaw in the ASUS Business Manager Service allows a local attacker who can run low‑privileged code to elevate privileges to SYSTEM and execute arbitrary code.
Exploitability – The vulnerability is locally exploitable; no public exploit code is known, but the required conditions (low‑privilege code execution) are common on mis‑configured corporate endpoints. CVSS 7.8 (High).
Affected Products – ASUS Business Manager (all versions prior to the June 2026 security update).
TPRM Impact – Compromise of a third‑party business‑management platform can give attackers full control over the host network, exposing sensitive corporate data and enabling lateral movement to other vendor‑supplied services.
Recommended Actions –
- Verify that the June 2026 ASUS security patch is applied on all Business Manager installations.
- Enforce least‑privilege policies; restrict execution of non‑admin code on machines running Business Manager.
- Conduct an inventory of all endpoints using ASUS Business Manager and prioritize patching.
- Monitor for anomalous process creation and privilege‑escalation alerts on affected hosts.
- Update third‑party risk registers to reflect the new vulnerability and reassess vendor risk scores.