ASUS Patches RCE Bugs in DriverHub

The two vulnerabilities can be chained together to gain RCE

Author

Newsroom
May 13, 2025

ASUS has released fixes for two separate vulnerabilities in its DriverHub app which can be combined to achieve remote code execution on a number of the company’s motherboards. ASUS maintains that the bugs don’t affect laptops and desktops, although the researcher who discovered the bugs said that is misleading, as the vulnerabilities are actually present in any machine that has the DriverHub app installed. 

Why It Matters: The DriverHub software is used to communicate with the ASUS servers and determine which software drivers the specific device needs to load. The app is very widely used and runs in the background, communicating with an ASUS server to see which drivers to install and which ones need to be updated. The two vulnerabilities can be chained together to gain RCE, according to the researcher who discovered them. 

Key Details

  • In its security advisory, ASUS doesn’t give any version numbers for what release of DriverHub are affected by these vulnerabilities, but just says that uses should update to the latest release

  • CVE-2025-3463 reads as follows: “An insufficient validation vulnerability in ASUS DriverHub may allow untrusted sources to affect system behavior via crafted HTTP requests.”

  • CVE-2025-3462 is described as: “An insufficient validation in ASUS DriverHub may allow unauthorized sources to interact with the software's features via crafted HTTP requests.”

  • The bugs were discovered by a researcher who goes by the handle MrBruh, who found that the DriverHub server would accept RPC calls from arbitrary websites. 

  • “After fiddling with variations of the command for a while my assumptions were confirmed. DriverHub only responded to requests with the origin header set to “driverhub.asus.com”. So at least this software wasn’t completely busted and evil hackers can’t just send requests to DriverHub willy-nilly. However I wasn’t done yet, presumably the program checks if the origin is driverhub.asus.hub and if so it’d accept RPC request. What I did next was see if the program did a direct comparison like origin == driverhub.asus.hub or if it was a wildcard match such as origin.includes("driverhub.asus.com"). When I switched the origin to driverhub.asus.com.mrbruh.com, it allowed my request. It was obvious now there was a serious threat. The next step was to determine how much damage was possible,” the researcher’s blog post says.

ASUS released the updated version of DriverHub on April 18, but the advisory was only published on May 9. 

There is a separate vulnerability in the ASUS Armoury Crate software, which is loaded by DriverHub in some cases, that can lead to BSOD or other unwanted outcomes. ASUS released an update for that flaw (CVE-2025-1533) on May 12.