Two critical vulnerabilities, CVE-2025-3462 and CVE-2025-3463, have been discovered in ASUS DriverHub, a utility designed to help users update drivers on ASUS systems. These flaws could be exploited by malicious actors to execute unauthorized commands with elevated privileges. The issues stem from insufficient origin validation and improper certificate handling in HTTP requests, potentially allowing attackers to manipulate system behavior from untrusted sources. Given the popularity of ASUS tools across consumer and enterprise environments, users are urged to apply the available security patches immediately.

Technical Description

ASUS DriverHub, a background driver management service shipped with ASUS motherboards and systems, was found vulnerable to critical remote code execution (RCE) via insecure local RPC communications. The DriverHub service listens locally on port 53000 and receives instructions from a companion ASUS web application (driverhub.asus.com) through HTTP requests.

CVE-2025-3462 highlights an origin validation flaw where the service only verifies whether the Origin HTTP header includes driverhub.asus.com. It fails to perform strict hostname validation (e.g., exact match or certificate pinning). As a result, attackers can register deceptive subdomains like driverhub.asus.com.attacker.com to bypass the validation.

This means that any website crafted with such a subdomain could send privileged commands to the DriverHub service running on a user’s machine, assuming the user visits the malicious site.

CVE-2025-3463, a certificate validation flaw, allows the system to trust executables fetched from external sources even if they’re signed by rogue or improperly validated certificates. The signature verification accepts any executable signed by ASUS, not necessarily issued through official channels. This opens a door for attackers to repackage ASUS-signed installers with malicious payloads.

‍

Proof of Exploit Chain:

1. Malicious Website: Victim visits a malicious website hosted under a deceptive subdomain (e.g., driverhub.asus.com.attacker.com).
2. Initiate Local RPC Call: The website sends a POST request to the vulnerable RPC service on 127.0.0.1:53000.
3. UpdateApp Endpoint: The request instructs DriverHub to download and execute a crafted ASUS-signed installer (AsusSetup.exe) that references a modified AsusSetup.ini.
4. SilentInstallRun Exploit: The .ini file specifies a silent install script (SilentInstallRun) that executes attacker-supplied binaries (e.g., calc.exe) with SYSTEM privileges.
5. Achieved RCE: Arbitrary code is executed without user consent or visibility.

Historical Context:

• 2013: University of Texas researchers demonstrated GPS spoofing to hijack drones illustrating how inadequate verification of trusted sources can lead to physical consequences.
• 2019-2022: Certificate validation issues led to supply chain attacks, including the SolarWinds Orion breach, where signed but compromised updates introduced backdoors into enterprise environments.
• April 2025: Security researcher “mrbruh” discovered and responsibly disclosed these vulnerabilities to ASUS. Within two weeks, ASUS issued a patched version, although their advisory downplayed the impact by limiting the affected systems to “motherboards” only despite the broader reach.

‍

Impact

If exploited, these vulnerabilities could allow attackers to run code with administrative privileges giving them the keys to the system. From silently installing malware to stealing data or taking full control of the affected computer, the consequences are severe. What’s particularly concerning is that the user might not even be aware anything is wrong just visiting the wrong website could be enough to trigger an attack. In enterprise environments, such weaknesses could become a gateway for broader network infiltration.

‍

IOC and Context Details

‍

Recommended Actions

• Update immediately to the latest version of ASUS DriverHub, which includes patches for these vulnerabilities.
• Restrict access to driver update tools on managed systems.
• Use endpoint protection solutions that can monitor unusual command execution from trusted binaries.
• Monitor network traffic for suspicious outbound requests from ASUS DriverHub to unknown domains.
• Enforce application control policies to block non-approved tools from running in admin mode.

‍

References

https://mrbruh.com/asusdriverhub/

‍