ASUS Addresses Remote Code Execution Vulnerabilities in DriverHub Accessible through HTTP and Malicious .ini Files

ASUS has implemented security updates to rectify two critical vulnerabilities affecting the ASUS DriverHub software. These flaws, if successfully exploited, could allow an attacker to execute remote code on the affected systems.

ASUS DriverHub serves as a utility designed to automatically identify the motherboard model of a computer and provide necessary driver updates by connecting to a designated site hosted at “driverhub.asus.com.”

The identified vulnerabilities are detailed as follows:

– CVE-2025-3462 (CVSS score: 8.4): This vulnerability pertains to an origin validation error, which may permit unauthorized sources to interact with the software’s features through crafted HTTP requests.
– CVE-2025-3463 (CVSS score: 9.4): This refers to an improper certificate validation vulnerability, which could allow untrusted entities to manipulate system behavior via tailored HTTP requests.

The vulnerabilities were discovered and reported by security researcher MrBruh, who indicated that they could potentially be exploited through a straightforward one-click attack.

The exploitation methodology involves deceiving a user into visiting a sub-domain associated with driverhub.asus.com (for example, driverhub.asus.com..com). The attacker could then leverage the DriverHub’s UpdateApp endpoint to execute a legitimate copy of “AsusSetup.exe” with an option that allows execution of any file hosted on the fraudulent domain.

MrBruh explained in a detailed report that the execution of AsusSetup.exe first requires reading from AsusSetup.ini, which holds metadata regarding the driver. If run with the -s flag (a silent install command), AsusSetup.exe will execute whatever is specified in the SilentInstallRun directive. Although this is typically a script for automated headless installation of drivers, it could equally run any malicious file stipulated by the attacker.

To carry out this exploit, an attacker simply needs to establish a domain and host three essential components: the malicious payload, an altered AsusSetup.ini file that designates the malicious binary in the SilentInstallRun property, and the AsusSetup.exe that executes the payload as directed by the ini file.

Following responsible disclosure on April 8, 2025, ASUS addressed the issues in an update released on May 9. Importantly, there has been no discernible evidence indicating that these vulnerabilities have been exploited in active attacks.

ASUS strongly advises users to update their installation of ASUS DriverHub to the latest version, which includes crucial security enhancements. Users can initiate the latest software update by opening ASUS DriverHub and selecting the ‘Update Now’ option.