A critical security flaw in ASUS’s official driver management utility, DriverHub, allowed attackers to remotely execute code on users’ systems using spoofed websites. Discovered by an independent researcher, the vulnerability affects millions of devices and remained exploitable for years. ASUS has since patched the issue—but concerns remain about oversight and disclosure.

For many ASUS motherboard users, a driver update tool known as DriverHub quietly launches and stays active from the first boot. Designed to simplify driver updates and ensure system compatibility, the utility runs persistently as a local service on port 53000, polling ASUS servers for new drivers.

But beneath this convenience lay a hidden threat. Discovered by New Zealand-based independent security researcher the DriverHub utility suffered from two critical flaws—now tracked as CVE-2025-3462 and CVE-2025-3463—that enabled remote code execution (RCE) via a malicious website.

“These issues allow any attacker to silently execute code as admin on a vulnerable machine,” MrBruh wrote in a technical disclosure. “No prompts. No user interaction. Just one visit to a website.”

The vulnerability hinged on poor validation of the Origin Header in HTTP requests sent to the local DriverHub service. This service was intended to accept commands only from driverhub.asus.com, but as MrBruh demonstrated, any domain containing that string—such as driverhub.asus.com.mrbruh.com—would pass the check.

Armed with this bypass, an attacker could craft a malicious website that, once visited by a user, would send “UpdateApp” commands to the local service. These commands would direct DriverHub to download a legitimate ASUS-signed executable (e.g., AsusSetup.exe) along with:

• A malicious .ini file, containing instructions
• A malicious payload (.exe) masquerading as part of the installer

The ASUS installer, executed silently with administrator privileges, would then launch the malware using the configuration from the .ini file.

To make matters worse, the tool failed to delete files that failed signature verification, leaving malicious code behind.

ASUS was informed of the vulnerability on April 8, 2025, and released a patch on April 18, validating the fix with MrBruh a day prior. While the flaw has been addressed in the latest version of DriverHub, ASUS’s public CVE statements have raised eyebrows.

“This issue is limited to motherboards and does not affect laptops, desktop computers, or other endpoints,” ASUS claimed.

However, Dr. Nishant Sawant and security analysts say this statement is misleading. Any device—laptop or desktop—running ASUS DriverHub was potentially vulnerable.

Adding to the criticism, ASUS did not issue a bug bounty to the researcher, despite the severe implications of the discovery.

On the bright side, there is no evidence the flaw was exploited in the wild. MrBruh confirmed he found no rogue TLS certificates containing “driverhub.asus.com” in certificate transparency logs.

ASUS has since issued a security bulletin, urging all users to open the DriverHub utility and click “Update Now.” Alternatively, for those wary of software that automatically downloads files based on background web traffic, the service can be disabled from BIOS settings.