Security flaws in the software, Asus DriverHub, which could have allowed hackers to take control of affected systems through remote code execution, according to a report by New Zealand-based security researcher, MrBruh.
The vulnerabilities, now tracked as CVE-2025-3462 and CVE-2025-3463, carry high CVSS scores of 8.4 and 9.4, indicating critical severity. They exist in the DriverHub service that comes bundled with certain Asus motherboards.
These bugs could be triggered by sending specially crafted HTTP requests. MrBruh revealed that the software failed to properly validate inputs, leaving it vulnerable to unauthorized access and manipulation.
Asus initially stated that the issue only affected the bundled motherboard software, not laptops, desktops, or other devices. However, the researcher showed otherwise. DriverHub runs quietly in the background and connects to driverhub.asus.com to manage driver updates using remote procedure calls (RPC).
Here’s where the flaw lies: the system was only supposed to accept commands from the official domain. But by slightly tweaking the domain—adding a suffix like .anything (e.g., driverhub.asus.com.fake)—an attacker could bypass the checks and interact with the local service directly.
Even worse, the vulnerable UpdateApp endpoint would accept manipulated URLs containing .asus.com. This allowed it to:
- Save files with arbitrary names
- Download any file type
- Silently install and auto-execute files with admin rights
- Ignore deleting unsigned files that failed validation
In a proof-of-concept, MrBruh showed how these flaws could be exploited by tricking users into visiting a malicious website hosted on a similarly structured subdomain. Just one click was enough to execute remote code on the victim’s system.
He tested this using a Wi-Fi driver distributed in a ZIP file, exploiting the silent install feature to run arbitrary programs without user approval.
Fortunately, the vulnerabilities have now been patched. MrBruh reported the issue to Asus on April 8, and the company released a fix on May 9. No signs of active exploitation have been found so far, and no suspicious subdomains were discovered before the disclosure.
Although Asus doesn’t currently offer a bug bounty, the company has acknowledged the researcher in its Hall of Fame.
