Description
Armoury Crate Service’s logging function has insufficient validation to check if the log file is a symbolic link. A physical attacker with general user privilege can modify the log file property to a symbolic link that points to arbitrary system file, causing the logging function to overwrite the system file and disrupt the system.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://www.twcert.org.tw/tw/cp-132-6522-4eacb-1.html
Scores
CVSS v3
5.9
EPSS
0.0012
EPSS Percentile
30.3%
Attack Vector
PHYSICAL
CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-59
Status
published
Products (1)
asus/armoury_crate_service
< 5.2.10.0
Published
Sep 28, 2022
Tracked Since
Feb 18, 2026