Full Report
ASUS has released updates to address two security flaws impacting ASUS DriverHub that, if successfully exploited, could enable an attacker to leverage the software in order to achieve remote code execution. DriverHub is a tool that's designed to automatically detect the motherboard model of a computer and display necessary driver updates for subsequent installation by communicating with a
Analysis Summary
# Vulnerability: ASUS DriverHub RCE via Invalid Certificate Validation and Origin Checks
## CVE Details
- CVE ID: CVE-2025-3462
- CVSS Score: 8.4 (High)
- CWE: Origin Validation Error
- CVE ID: CVE-2025-3463
- CVSS Score: 9.4 (Critical)
- CWE: Improper Certificate Validation
## Affected Systems
- Products: ASUS DriverHub
- Versions: Not explicitly listed; users must update to the patched version.
- Configurations: Vulnerabilities are exploited through crafted HTTP requests against the `driverhub.asus[.]com` endpoint or subdomains.
## Vulnerability Description
Two critical vulnerabilities exist in ASUS DriverHub, which is used to automatically detect hardware and fetch driver updates from `driverhub.asus[.]com`.
1. **CVE-2025-3462 (Origin Validation Error):** Allows unauthorized sources to interact with software features via crafted HTTP requests.
2. **CVE-2025-3463 (Improper Certificate Validation):** Allows untrusted sources to affect system behavior via crafted HTTP requests.
If chained, these flaws allow an attacker to achieve Remote Code Execution (RCE) via a one-click attack. The exploit involves tricking a user into visiting a specifically crafted subdomain (e.g., `driverhub.asus.com..com`). This triggers the DriverHub's UpdateApp endpoint, instructing it to execute the legitimate `AsusSetup.exe` utility. `AsusSetup.exe`, when run with the silent install flag (`-s`), reads metadata from `AsusSetup.ini` and executes whatever is specified in the `SilentInstallRun` property. An attacker can control this INI file via the vulnerable HTTP interaction, forcing the execution of a malicious payload hosted on their controlled domain.
## Exploitation
- Status: PoC available (The researcher provided a technical report detailing the steps).
- Complexity: Low (Requires creating a malicious domain and hosting three specific files: malicious payload, altered `AsusSetup.ini`, and providing the `AsusSetup.exe` path/context).
- Attack Vector: Network (Requires user navigation to a crafted URL).
## Impact
- Confidentiality: High (Arbitrary code execution grants access to local system data).
- Integrity: High (Arbitrary code execution allows modification or deletion of system files).
- Availability: High (Code execution can lead to system instability or denial of service).
## Remediation
### Patches
- ASUS released fixes on May 9, 2025. Users must update ASUS DriverHub to the latest version available from within the application itself.
- **Action:** Open ASUS DriverHub and click the **"Update Now"** button.
### Workarounds
- None explicitly listed, but the core mitigation is updating the software immediately given the high severity and RCE potential. Users should exercise caution regarding any prompts or automatic updates initiated by DriverHub until the patch is confirmed installed.
## Detection
- **Indicators of Compromise:** Look for anomalous execution of the `AsusSetup.exe` binary, particularly when combined with silent install flags (`-s`) or unusual network activity originating from DriverHub processes interacting with external, non-standard domains.
- **Detection methods and tools:** Standard EDR/AV solutions should monitor for attempts to execute arbitrary commands via the path specified in `AsusSetup.ini` or manipulation of this file during the update process. Blocking access to previously identified subdomains associated with the attack vector may serve as a temporary block until patching is complete.
## References
- Vendor Advisory: https://www.asus.com/content/asus-product-security-advisory/
- Technical Report: mrbruh[.]com/asusdriverhub/ (Defanged)
- Related Article: thehackernews[.]com/2025/05/asus-patches-driverhub-rce-flaws.html (Defanged)