The ASUS DriverHub driver administration utility was weak to a vital distant code execution flaw that allowed malicious websites to execute instructions on units with the software program put in.
The flaw was found by an unbiased cybersecurity researcher from New Zealand named Paul (aka “Arnet“), who discovered that the software program had poor validation of instructions despatched to the DriverHub background service.
This allowed the researcher to create an exploit chain using flaws tracked as CVE-2025-3462 and CVE-2025-3463 that, when mixed, obtain origin bypass and set off distant code execution on the goal.
The DriverHub downside
DriverHub is ASUS’s official driver administration instrument that’s robotically put in on the primary system boot when using sure ASUS motherboards.
This software program runs within the background, robotically detecting and fetching the most recent driver variations for the detected motherboard mannequin and its chipset.
As soon as put in, the instrument stays lively and operating within the background through an area service on port 53000, regularly checking for necessary driver updates.
In the meantime, most customers do not even know such a service is consistently operating on their system.
That service checks the Origin Header of incoming HTTP requests to reject something that does not come from ‘driverhub.asus.com.’
Nonetheless, this test is poorly carried out, as any website that features that string is accepted even when it is not a precise match to ASUS’s official portal.
The second concern lies within the UpdateApp endpoint, which permits DriverHub to obtain and run .exe information from “.asus.com” URLs with out consumer affirmation.
The BIOS setting regarding DriverHub (Enabled by default)
Supply: MrBruh
Stealthy assault move
An attacker can goal any consumer with ASUS DriverHub operating on their system to trick them into visiting a malicious web site on their browser. This web site then sends “UpdateApp requests” to the native service at ‘http://127.0.0.1:53000.’
By spoofing the Origin Header to one thing like ‘driverhub.asus.com.mrbruh.com,’ the weak validation test is bypassed, so DriverHub accepts the instructions.
Within the researcher’s demonstration, the instructions order the software program to obtain a reliable ASUS-signed ‘AsusSetup.exe’ installer from the seller’s obtain portal, together with a malicious .ini file and .exe payload.
The ASUS-signed installer is silently run as admin and makes use of the configuration info within the .ini file. This ini file directs the reliable ASUS driver installer to launch the malicious executable file.
The assault can be made attainable by the instrument failing to delete information that fail signature checks, just like the .ini and payload, that are stored on the host after their obtain.
ASUS’ response and consumer motion
ASUS acquired the researcher’s experiences on April 8, 2025, and carried out a repair on April 18, after validating it with MrBruh the day earlier than. The {hardware} big didn’t provide the researcher any bounty for his disclosure.
The CVE descriptions, which the Taiwanese vendor submitted, considerably downplays the problem with the next assertion:
“This concern is proscribed to motherboards and doesn’t have an effect on laptops, desktop computer systems, or different endpoints,” reads the CVE description.
That is complicated, because the talked about CVEs affect laptops and desktop computer systems with DriverHub put in.
Nonetheless, ASUS is clearer in its safety bulletin, advising customers to rapidly apply the most recent replace.
“This replace consists of necessary safety updates and ASUS strongly recommends that customers replace their ASUS DriverHub set up to the most recent model,” reads the bulletin.
“The most recent Software program Replace could be accessed by opening ASUS DriverHub, then clicking the “Replace Now” button.”
MrBruh says he monitored certificates transparency updates and located no different TLS certificates containing the “driverhub.asus.com” string, indicating it was not exploited within the wild.
If you happen to’re uncomfortable with a background service robotically fetching probably harmful information upon visiting web sites, you could disable DriverHub out of your BIOS settings.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and find out how to defend towards them.
