{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15038", "assignerOrgId": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1", "state": "PUBLISHED", "assignerShortName": "ASUS", "dateReserved": "2025-12-23T06:48:58.144Z", "datePublished": "2026-03-12T02:03:19.645Z", "dateUpdated": "2026-03-12T14:48:08.340Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1", "shortName": "ASUS", "dateUpdated": "2026-03-12T02:55:39.399Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read", "type": "CWE"}]}], "affected": [{"vendor": "ASUS", "product": "ASUS Business System Control Interface", "versions": [{"status": "affected", "version": "0", "lessThan": "0.5.14.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:asus:asus_business_system_control_interface:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.5.14.0", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "descriptions": [{"lang": "en", "value": "An Out-of-Bounds\nRead vulnerability exists in the ASUS Business System\nControl Interface driver. This vulnerability can be triggered by an unprivileged local user\nsending a specially crafted IOCTL \u00a0request, potentially leading\nto a disclosure of\nkernel information or a system crash. Refer to the \"Security Update for ASUS\u00a0\nBusiness System Control Interface\" section on the ASUS Security Advisory for more information.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>An Out-of-Bounds\nRead vulnerability exists in the ASUS Business System\nControl Interface driver. This vulnerability can be triggered by an unprivileged local user\nsending a specially crafted IOCTL &nbsp;request, potentially leading\nto a disclosure of\nkernel information or a system crash. Refer to the \"Security Update for ASUS&nbsp;\nBusiness System Control Interface\" section on the ASUS Security Advisory for more information.</p>"}]}], "references": [{"url": "https://www.asus.com/content/security-advisory"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T14:47:20.773357Z", "id": "CVE-2025-15038", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:48:08.340Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15038", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T14:47:20.773357Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:47:51.226Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ASUS", "product": "ASUS Business System Control Interface", "versions": [{"status": "affected", "version": "0", "lessThan": "0.5.14.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.asus.com/content/security-advisory"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "An Out-of-Bounds\nRead vulnerability exists in the ASUS Business System\nControl Interface driver. This vulnerability can be triggered by an unprivileged local user\nsending a specially crafted IOCTL \u00a0request, potentially leading\nto a disclosure of\nkernel information or a system crash. Refer to the \"Security Update for ASUS\u00a0\nBusiness System Control Interface\" section on the ASUS Security Advisory for more information.", "supportingMedia": [{"type": "text/html", "value": "<p>An Out-of-Bounds\nRead vulnerability exists in the ASUS Business System\nControl Interface driver. This vulnerability can be triggered by an unprivileged local user\nsending a specially crafted IOCTL &nbsp;request, potentially leading\nto a disclosure of\nkernel information or a system crash. Refer to the \"Security Update for ASUS&nbsp;\nBusiness System Control Interface\" section on the ASUS Security Advisory for more information.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:asus:asus_business_system_control_interface:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "0.5.14.0", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1", "shortName": "ASUS", "dateUpdated": "2026-03-12T02:55:39.399Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15038", "state": "PUBLISHED", "dateUpdated": "2026-03-12T14:48:08.340Z", "dateReserved": "2025-12-23T06:48:58.144Z", "assignerOrgId": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1", "datePublished": "2026-03-12T02:03:19.645Z", "assignerShortName": "ASUS"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An Out-of-Bounds\nRead vulnerability exists in the ASUS Business System\nControl Interface driver. This vulnerability can be triggered by an unprivileged local user\nsending a specially crafted IOCTL \u00a0request, potentially leading\nto a disclosure of\nkernel information or a system crash. Refer to the \"Security Update for ASUS\u00a0\nBusiness System Control Interface\" section on the ASUS Security Advisory for more information."}, {"lang": "es", "value": "Existe una vulnerabilidad de lectura fuera de l\u00edmites en el controlador de la Interfaz de Control del Sistema Empresarial de ASUS. Esta vulnerabilidad puede ser activada por un usuario local sin privilegios que env\u00ede una solicitud IOCTL especialmente dise\u00f1ada, lo que podr\u00eda llevar a una divulgaci\u00f3n de informaci\u00f3n del kernel o a un fallo del sistema. Consulte la secci\u00f3n 'Actualizaci\u00f3n de seguridad para la Interfaz de Control del Sistema Empresarial de ASUS' en el Aviso de Seguridad de ASUS para m\u00e1s informaci\u00f3n."}], "id": "CVE-2025-15038", "lastModified": "2026-03-12T21:07:53.427", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1", "type": "Secondary"}]}, "published": "2026-03-12T03:15:57.403", "references": [{"source": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1", "url": "https://www.asus.com/content/security-advisory"}], "sourceIdentifier": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "54bf65a7-a193-42d2-b1ba-8e150d3c35e1", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.5.14.0)"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 94.0, "source": "matching"}]}, "original": {"product": "ASUS Business System Control Interface", "source": "cna", "vendor": "ASUS"}, "product": "asus_business_system_control_interface", "vendor": "asus"}], "analysis": {"en": {"generated_at": "2026-03-18T15:52:46.612025+00:00", "value": {"mitigation_remediation": ["Apply the latest ASUS Business System Control Interface driver update as outlined in the ASUS Security Advisory.", "Verify that the driver version meets the corrected release; if required, reinstall or update the firmware.", "If a patch is not yet released, monitor ASUS advisories and apply the update promptly once available."], "summary": {"action": "Apply Patch", "impact": "Kernel Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the ASUS Business System Control Interface product. No specific affected versions are listed in the CVE data, so all releases prior to the advisory may be susceptible. The provided CPE string (cpe:2.3:a:asus:asus_business_system_control_interface:*:*:*:*:*:*:*:*) indicates the scope of the affected product.", "description_and_impact": "An Out-of-Bounds Read vulnerability (CWE\u2011125) exists in the ASUS Business System Control Interface driver. An unprivileged local user can trigger the flaw by sending a specially crafted IOCTL request, which may result in the disclosure of kernel data or cause a system crash. The primary impact is the leakage of kernel information, potentially compromising confidentiality, with a secondary denial\u2011of\u2011service risk if the system becomes unstable.", "risk_and_exploitability": "The CVSS score of 6.9 indicates moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog, further reducing the overall risk profile. The attack vector is local and requires an unprivileged user to send the crafted IOCTL; therefore, remote exploitation is not possible without first gaining local access."}}}}, "created": "2026-03-13T09:53:44.383962+00:00", "title": "Out-of-Bounds Read in ASUS Business System Control Interface Driver", "updated": "2026-03-20T15:36:12.891297+00:00", "vendors": ["asus", "asus$PRODUCT$asus_business_system_control_interface"]}