ASUS Patches DriverHub RCE Flaws Exploitable via HTTP and Crafted .ini Files

May 12, 2025Ravie LakshmananVulnerability / Endpoint Security

ASUS has released updates to address two security flaws impacting ASUS DriverHub that, if successfully exploited, could enable an attacker to leverage the software in order to achieve remote code execution.

DriverHub is a tool that’s designed to automatically detect the motherboard model of a computer and display necessary driver updates for subsequent installation by communicating with a dedicated site hosted at “driverhub.asus[.]com.”

The flaws identified in the software are listed below –

• CVE-2025-3462 (CVSS score: 8.4) – An origin validation error vulnerability that may allow unauthorized sources to interact with the software’s features via crafted HTTP requests
• CVE-2025-3463 (CVSS score: 9.4) – An improper certificate validation vulnerability that may allow untrusted sources to affect system behavior via crafted HTTP requests

Security researcher MrBruh, who is credited with discovering and reporting the two vulnerabilities, said they could be exploited to achieve remote code execution as part of a one-click attack.

The attack chain essentially involves tricking an unsuspecting user into visiting a sub-domain of driverhub.asus[.]com (e.g., driverhub.asus.com..com) and then leveraging the DriverHub’s UpdateApp endpoint to execute a legitimate version of the “AsusSetup.exe” binary with an option set to run any file hosted on the fake domain.

“When executing AsusSetup.exe it first reads from AsusSetup.ini, which contains metadata about the driver,” the researcher explained in a technical report.

“If you run AsusSetup.exe with the -s flag (DriverHub calls it using this to do a silent install), it will execute whatever is specified in SilentInstallRun. In this case, the ini file specifies a cmd script that performs an automated headless install of the driver, but it could run anything.”

All an attacker needs to successfully pull off the exploit is to create a domain, and host three files, the malicious payload to be run, an altered version of AsusSetup.ini that has the “SilentInstallRun” property set to the malicious binary, and AsusSetup.exe, which then make use of the property to run the payload.

Following responsible disclosure on April 8, 2025, the issues were fixed by ASUS on May 9. There is no evidence that the vulnerabilities have been exploited in the wild.

“This update includes important security updates and ASUS strongly recommends that users update their ASUS DriverHub installation to the latest version,” the company said in a bulletin. “The latest Software Update can be accessed by opening ASUS DriverHub, then clicking the ‘Update Now’ button.”