ASUS DriverHub Flaws Could Lead to Remote Code Execution: Critical Security Patch Released

By /

Listen to this Post

Featured Image
ASUS, the Taiwanese multinational known for its computing hardware and electronics, has issued urgent security updates to patch two high-severity vulnerabilities found in its DriverHub software. These vulnerabilities could allow attackers to execute malicious code remotely if exploited correctly. Although no active exploitation has been reported in the wild, the nature of these flaws makes them critical to address immediately.

DriverHub is a utility developed by ASUS to detect motherboard models and recommend or install the correct drivers. It communicates with ASUS infrastructure via a dedicated domain (driverhub.asus[.]com). While the software aims to streamline driver management, researchers have uncovered a potentially dangerous flaw in the trust and execution flow of its update mechanism.

the Findings

ASUS has patched two vulnerabilities in DriverHub, discovered by security researcher MrBruh:

CVE-2025-3462 (CVSS 8.4): An origin validation error allows attackers to abuse the software by crafting HTTP requests from unauthorized sources.

CVE-2025-3463 (CVSS 9.4): Improper certificate validation enables threat actors to affect the system behavior through malicious HTTP traffic.

Together, these bugs can lead to remote code execution (RCE) — particularly through one-click attacks, where unsuspecting users are tricked into clicking a link or visiting a malicious subdomain such as driverhub.asus.com.<random>.com.

The attack works by manipulating how

ASUS’s DriverHub uses AsusSetup.exe for silent installation of drivers.
This executable reads configuration data from a file named AsusSetup.ini.
A specific parameter called SilentInstallRun within the .ini file tells the executable what to run in silent mode.
If altered, this property can execute any script or executable, even malicious payloads.

All an attacker would need is to:

  1. Register a domain that looks similar to ASUS’s.

2. Host three files on that domain:

A malicious executable.

A manipulated .ini file with SilentInstallRun targeting the payload.

The official `AsusSetup.exe` binary.

Once the victim clicks the malicious link, the DriverHub tool could fetch and execute this payload silently, without any visible user interaction.

ASUS responded swiftly:

The vulnerabilities were responsibly disclosed on April 8, 2025.
ASUS rolled out a fix on May 9, 2025.
Users are urged to update DriverHub immediately via the built-in “Update Now” button.

While there is no indication of active exploitation yet, the severity of these issues makes quick user response essential.

What Undercode Say:

The DriverHub incident underscores an all-too-common problem in modern software development: implicit trust in self-hosted infrastructure and poor origin validation. The fact that the software trusted subdomains without rigorous domain verification reveals a weakness in how security assumptions are made during design.

Let’s break this down:

  1. Trust Mismanagement: The use of driverhub.asus.com.<random>.com bypassed traditional origin validation due to relaxed domain logic. It shows how attackers exploit subdomain confusion in real-world scenarios.

  2. Certificate Validation Failure: The improper handling of HTTPS certificates is particularly dangerous. If the client doesn’t strictly verify server certificates, it becomes susceptible to man-in-the-middle (MITM) attacks — especially over corporate networks or open Wi-Fi.

  3. Executable Misuse: The reliance on .ini files and the -s flag in the installer pipeline is not inherently insecure, but when that mechanism isn’t isolated or sandboxed, it becomes a significant vector. Relying on file-based automation for installations should include strict whitelisting or code-signing of payloads.

  4. Supply Chain Implications: This incident also touches on the broader software supply chain security concern. If a tool like DriverHub — trusted by thousands — can be hijacked through crafted links, attackers could pivot to deeper intrusions, affecting BIOS updates or firmware installations.

  5. Silent Execution as a Feature, or a Bug? What was meant to be a convenience feature — silent installation — becomes a weapon when hijacked. Many enterprise tools suffer from similar problems: prioritizing usability without a corresponding security control.

6.

References:

Reported By: thehackernews.com
Extra Source Hub:
https://www.github.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Explore More: