Critical Vulnerability in ASUS DriverHub Enables Malicious Sites to Execute Commands with Elevated Privileges

The ASUS DriverHub driver management utility has been identified as having a critical remote code execution vulnerability that enables malicious websites to execute commands on devices where the software is installed.

This security flaw was uncovered by an independent cybersecurity researcher from New Zealand, who noted that the software exhibited insufficient validation of commands sent to the DriverHub background service. This oversight facilitated the creation of an exploit chain utilizing flaws cataloged as CVE-2025-3462 and CVE-2025-3463. The combination of these vulnerabilities allows attackers to bypass security origins and execute remote commands on affected systems.

DriverHub is ASUS’s official driver management tool, typically pre-installed on systems featuring specific ASUS motherboards. This utility operates in the background, autonomously detecting and downloading updated driver versions compatible with the detected motherboard and chipset. Once initiated, it remains active, continuously monitoring for critical driver updates through a local service on port 53000 — a service that most users are unaware is running on their systems.

The service checks the Origin Header of incoming HTTP requests, rejecting any that do not originate from ‘driverhub.asus.com.’ However, this check is inadequately implemented; any website that contains the string is accepted, regardless of whether it is an exact match with ASUS’s legitimate portal. The second flaw occurs with the UpdateApp endpoint, which allows DriverHub to download and execute .exe files from “.asus.com” URLs without requiring user confirmation.

An attacker can exploit this vulnerability by enticing users with ASUS DriverHub to visit a malicious website that sends “UpdateApp requests” to the local service running at ‘http://127.0.0.1:53000.’ By spoofing the Origin Header to an address such as ‘driverhub.asus.com.mrbruh.com,’ the inadequate validation allows the DriverHub service to accept these commands.

In a demonstration of this exploit, the researcher was able to command the software to download an ASUS-signed ‘AsusSetup.exe’ installer from the vendor’s download portal, accompanied by a malicious .ini file and an executable payload. The legitimate ASUS installer is then executed silently with administrative rights, utilizing the configuration data from the .ini file to launch the malicious executable. Notably, the DriverHub tool fails to remove files that do not pass signature checks, leaving downloaded malicious files on the host system.

ASUS was alerted to this vulnerability by the researcher on April 8, 2025, and implemented a fix by April 18, following validation with the researcher. However, ASUS did not provide any form of monetary incentive for the reported vulnerability. The company’s description of the Common Vulnerabilities and Exposures (CVE) somewhat understates the issue, stating that it only affects motherboards, excluding laptops and desktops from its scope despite the fact that these devices can also have DriverHub installed.

In its security bulletin, ASUS advised users to promptly apply the latest update, highlighting the importance of addressing security vulnerabilities within the DriverHub software. Users are encouraged to open ASUS DriverHub and select the “Update Now” option to access the latest software update.

The researcher monitored certificate transparency updates and did not find evidence that the vulnerability was exploited in the wild. For users who may have concerns regarding the automatic background service downloading potentially harmful files, disabling DriverHub through BIOS settings is recommended.