Asus driverhub driver management utility was unsafe for an important remote code execution defects that allowed malicious sites to execute the command on equipment with installed software.
The defect was discovered by an independent cyber security researcher from New Zealand, named Paul (aka “.Mrbruh“), Who found that the software had poor recognition of orders sent to the driver’s background service.
This allowed the researcher to create an exploitation series Cve-2025-3462 And Cve-2025-3463 When jointly, the original bypass is obtained and triggers remote code execution on the target.
Driverhub problem
Driverhub Asus has an official driver management tool that is automatically installed on the system boot when using some Asus motherboard.
It runs in the software background, automatically detected and receives the latest driver versions for the motherboard model and its chipset.
Once installed, the tool remains active and running in the background through a local service at Port 53000, constantly checking for important driver updates.
Meanwhile, most users do not even know that such service is constantly running on their system.
This service examines the original header of the upcoming HTTP requests, which is to reject anything that does not come from ‘Driverhub.asus.com’.
However, this check is poorly applied, as any site is included that string, even if it is not an accurate match for the official portal of ASUS.
The second issue lies in updateapp endpoint, which allows the driver to download and run.
Source: Mrbruh
Sneaky attack
An attacker can target any user to visit a malicious website on his browser running on his system with Asus Driverhub. This website then sends “updateapp request” for local service
The original header is bypassed for the investigation of weak verification by spuofing for something like ‘Driverhub.asus.com.Mrbruh.com’, hence the driverhub accepts the command.
In the performance of the researcher, the command software orders a valid asus-signed ‘Asussetup.exe’ installer a malicious .INI file and a valid asus-signed ‘signed’ assetstup.exe ‘installer with a malicious .IXE file and .exe payload.
Asus-signed installer is silently run as administrator and uses configuration information in .INI file. This INI file directs the valid asus driver installer to launch malicious executable file.
The attack has also been made possible that fails to remove the files that thwart the signature check, such as .IINI and Paleod, which are placed on the host after their download.
Asus reaction and user action
Asus received the researcher’s report on 8 April 2025, and applied a fix on 18 April, which was a day earlier after being validated with Mrbruh. The hardware giant did not give a reward to the researcher for his disclosure.
The CVE description, which was presented by the seller of Taiwan, reduces this issue with some extent the following statement:
“The issue is limited to the motherboard and does not affect laptops, desktop computers or other closing points,” CVE reads the details.
It is misleading, as the Driverhub is installed with the mentioned Caves effect laptops and desktop computers.
However, Asus is clear in its safety bulletin, advises users to apply the latest updates quickly.
“This update involves significant security updates and asus strongly recommends that users update their Asus Driverhub installation in the latest version,” Bulletin reads,
“The latest software updates can be accessed by opening the Asus Driverhub, then clicking on the” Update Now “button.”
Mrbruh says that he monitored the certificate transparency update and found no other TLS certificate containing “Driverhub.asus.com” string, showing that it was not exploited in the wild.
If you are uncomfortable with a background service, to automatically bring the potentially dangerous files when going to the websites, you can disable the driverhub from your BIOS settings.
Based on the analysis of 14M malicious tasks, search for the top 10 MITERAT & CK techniques behind the 93% attacks and how to defend them against them.
