A serious vulnerability in ASUS’s DriverHub utility exposed users to remote code execution attacks with administrator privileges through a simple website visit. The flaw, now patched, could have allowed attackers to take full control of affected systems.
Researcher Finds Severe Security Gaps
The vulnerability was discovered by Paul, a security researcher from New Zealand, known online as “MrBruh.” He reported the issue to ASUS, which quickly released a security update to fix the problem.
The flaw involved two critical vulnerabilities, tracked as CVE-2025-3462 (CVSS score 8.4) and CVE-2025-3463 (CVSS score 9.4). Both affected ASUS’s DriverHub, a tool pre-installed on certain ASUS motherboards when the system boots for the first time.
DriverHub runs in the background on port 53000 and automatically checks for motherboard driver updates. It does not have a graphical user interface (GUI) and communicates with ASUS’s website to perform its tasks.
How Attackers Could Exploit the Flaw
The core issue was improper validation of the request origin. DriverHub was supposed to accept requests only from the domain driverhub.asus.com. However, Paul found that any domain containing that string—such as driverhub.asus.com.mrbruh.com—would bypass this security check.
This oversight allowed attackers to send malicious requests to DriverHub’s UpdateApp endpoint. Through this, attackers could download and execute files with system-level privileges.
The attack method was straightforward:
- The victim visits a malicious website with a subdomain including driverhub.asus.com.
- The website sends an UpdateApp request to download a malicious payload.
- It downloads a crafted AsusSetup.ini file with the line SilentInstallRun=calc.exe.
- Finally, it downloads a legitimate ASUS-signed AsusSetup.exe file.
- When the signed executable runs with the -s flag, it reads the INI file and executes the malicious payload with admin rights.
“The executable reads from AsusSetup.ini, which contains driver metadata. With the -s flag for silent installs, it will execute whatever is specified in SilentInstallRun,” the researcher explained.
Patch Released, No Known Exploits in the Wild
There are no reports that attackers exploited this vulnerability before the fix was issued. Still, ASUS urged all users to update DriverHub immediately. The update can be applied by opening the utility and clicking Update Now.
For users concerned about the tool’s background activity, ASUS also recommends disabling DriverHub through BIOS settings. However, for those who rely on the utility, updating is critical to prevent potential system compromise.
Broader Security Lessons
This incident underscores the risks of vendor-installed utilities running with elevated privileges. It also highlights the importance of quick security patching for system management software. Even tools designed to simplify updates can become attack vectors if not properly secured.
