ASUS has announced critical updates to mitigate two significant security vulnerabilities found in ASUS DriverHub. These flaws, if successfully exploited, could allow an attacker to achieve remote code execution, putting users at considerable risk.
DriverHub is a utility designed to automatically identify a computer’s motherboard model and facilitate the installation of necessary drivers by connecting to a specific site hosted at driverhub.asus.com. The vulnerabilities uncovered within this software have raised alarms regarding potential unauthorized access to its functionalities via malicious HTTP requests.
The vulnerabilities are identified as CVE-2025-3462, with a CVSS score of 8.4, which pertains to an origin validation error. This flaw could allow attackers to interact with DriverHub features by leveraging crafted requests. Furthermore, CVE-2025-3463 carries an even higher CVSS score of 9.4, indicating an improper certificate validation that might enable untrusted sources to manipulate system behavior through similar crafted HTTP requests.
Researcher MrBruh, who identified and disclosed these vulnerabilities, noted that they pose a substantial risk by potentially enabling a one-click attack for remote code execution. The attack scenario involves deceiving users into visiting a malicious sub-domain associated with driverhub.asus.com, allowing the misuse of DriverHub’s UpdateApp endpoint to invoke a legitimate program, AsusSetup.exe, with altered parameters set by the attacker.
According to MrBruh’s technical analysis, executing AsusSetup.exe entails reading from AsusSetup.ini, which contains essential driver metadata. The attacker could exploit this by running a command script specified in the ini file that performs an automated installation of malicious software instead of the intended driver.
To execute this attack successfully, an adversary would need to create a fraudulent domain and establish three vital components: the harmful payload to be executed, a modified AsusSetup.ini indicating which file to run, and the AsusSetup.exe executable. By adjusting the SilentInstallRun property in the ini file, the attacker can redirect the legitimate update process to execute the malicious payload.
After responsibly disclosing these vulnerabilities on April 8, 2025, ASUS provided patches on May 9, 2025. So far, there is no evidence to suggest that these vulnerabilities have been leveraged in real-world attacks.
As part of their response, ASUS emphasized the importance of updating DriverHub to the latest version, underscoring the security improvements in the latest release. Users can access the software update by launching DriverHub and following the prompts to upgrade.
From a cybersecurity perspective, the attack methods highlighted in this incident align with initial access tactics and potential exploitation techniques outlined in the MITRE ATT&CK framework. Understanding these tactics is crucial for business leaders to recognize the evolving landscape of cybersecurity threats and take appropriate measures to safeguard their systems.
