A critical vulnerability discovered in ASUS’s DriverHub utility allowed malicious websites to execute arbitrary code with administrator privileges on affected systems through a single click.
Security researcher Paul (known as “MrBruh”) from New Zealand uncovered the flaw, which has since been patched by ASUS.
The issue involved two serious security flaws tracked as CVE-2025-3462 (CVSS score 8.4) and CVE-2025-3463 (CVSS score 9.4), affecting ASUS’s DriverHub software – a utility automatically installed on certain ASUS motherboards during first system boot.
.png
)
This tool, which runs as a background process on port 53000, is designed to automatically detect and fetch driver updates for motherboards.
“DriverHub is an interesting piece of driver software because it doesn’t have any GUI. Instead it’s just a background process that communicates with the website driverhub.asus.com,” the researcher explains.
ASUS DriverHub Exploit Chain
The vulnerability’s root cause was improper origin validation. While DriverHub was designed to only accept requests with the origin header set to “driverhub.asus.com,” the researcher discovered that domains containing that string (such as “driverhub.asus.com.mrbruh.com”) would also be accepted.
This flaw allowed attackers to exploit the “UpdateApp” endpoint, which could download and execute files with administrator privileges.
The exploit chain worked as follows:
- A victim would visit a malicious website with a subdomain containing “driverhub.asus.com”.
- The site would make an UpdateApp request to download a malicious payload.
- It would then download a crafted AsusSetup.ini file containing a critical parameter: SilentInstallRun=calc.exe.
- Finally, it would download a legitimate ASUS-signed AsusSetup.exe.
- The signed executable would run with the -s flag, causing it to read the malicious INI file and execute the specified payload with admin rights.
“When executing AsusSetup.exe it first reads from AsusSetup.ini, which contains metadata about the driver… If you run AsusSetup.exe with the -s flag (DriverHub calls it using this to do a silent install), it will execute whatever is specified in SilentInstallRun,” the researcher explained.
There is no evidence the vulnerability was exploited in the wild before being patched.
| CVEs | Affected Products | Impact | Exploit Prerequisite | CVSS 3.1 Score |
| CVE-2025-3462 | ASUS DriverHub (motherboards only) | Remote Code Execution via origin validation error | User must visit a malicious subdomain resembling driverhub.asus.com; attacker sends crafted HTTP requests | 8.4 |
| CVE-2025-3463 | ASUS DriverHub (motherboards only) | Remote Code Execution via improper certificate validation | Same as above: user visits malicious subdomain, attacker leverages crafted HTTP requests | 9.4 |
ASUS released a security bulletin strongly recommending users update their DriverHub installation immediately, accessible by opening ASUS DriverHub and clicking “Update Now”.
Users uncomfortable with this background service can disable DriverHub from BIOS settings. For those requiring the software, immediate update is critical as the vulnerabilities could allow complete system compromise through a simple website visit.
This incident highlights ongoing security concerns with automatically installed vendor utilities and emphasizes the importance of rapid patching for critical vulnerabilities in system management software.
Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar
