A critical security flaw in ASUS DriverHub, a utility pre-installed on many ASUS motherboards, can be exploited to achieve remote code execution (RCE) with administrative privileges.
ASUS has addressed the issue in a recent update, but the vulnerability window has been open for an indeterminate period, while manual action from impacted users is required to address the risk.
The vulnerability was discovered and responsibly disclosed by independent researcher “MrBruh,” who detailed the findings on his blog. He began examining ASUS DriverHub after noticing the tool auto-installed via BIOS defaults on a newly built desktop system using an ASUS motherboard. DriverHub operates silently as a background process that interfaces with ASUS's driver recommendation service over driverhub.asus.com, offering no graphical user interface and relying instead on a localhost web API running on port 53000.
The issue stems from poor validation of HTTP request origins to the local RPC endpoint. Although DriverHub superficially restricts interactions to the official domain, the implementation accepts origin headers from subdomains such as driverhub.asus.com.malicious.com, due to insecure substring matching. This makes it possible for any website hosted on such a domain to issue privileged commands to the local service when visited by a vulnerable user.
ASUS DriverHub is software designed to automatically install and update device drivers for ASUS motherboards, particularly during initial OS setup. It's often installed without user interaction if BIOS-level default settings are left unchanged. The utility pulls driver packages from ASUS servers and executes them with system privileges — behavior that makes it especially risky when RPC calls are not tightly controlled.
MrBruh
The most severe vulnerability, tracked as CVE-2025-3463, carries a CVSS v4.0 base score of 9.4 (Critical). The flaw allows an attacker to chain multiple weaknesses to achieve full remote code execution as SYSTEM. By abusing the UpdateApp endpoint, attackers can trick DriverHub into downloading and silently executing a signed ASUS installer (AsusSetup.exe). If the accompanying .ini file is also attacker-controlled and specifies a malicious command in the SilentInstallRun directive, arbitrary code is executed with elevated privileges — bypassing signature validation, since the entry point itself is a legitimately signed binary.
A secondary but related flaw, CVE-2025-3462, was rated 8.4 (High) and involves broader concerns around insufficient input validation and potential information disclosure. This includes API endpoints that return sensitive data such as MAC addresses, driver details, and hardware inventories, all callable from untrusted websites if origin spoofing is used.
The vulnerabilities were responsibly disclosed to ASUS on April 8, 2025, following their initial discovery on April 7. ASUS responded with a patched version of DriverHub by April 17, and public CVE entries were published on May 9. Despite the quick fix, ASUS's public advisory downplays the severity by stating the issue is limited to “motherboards” and does “not affect laptops, desktop computers, or other endpoints,” an assertion that the researcher strongly disputes. In fact, any system with ASUS DriverHub installed — regardless of form factor — is exposed.
Notably, ASUS does not operate a public bug bounty program, though the researcher was credited on the company's “hall of fame” page.
ASUS users are now urged to manually update DriverHub by launching the utility and clicking “Update Now.” It is also recommended to consider disabling automatic driver installation from BIOS to prevent the auto-fetching of upgrade packages during system setup.
Leave a Reply