Two vulnerabilities in DriverHub, a driver software that comes pre-installed on Asus motherboards, can be exploited remotely for arbitrary code execution, New Zealand researcher ‘MrBruh’ says.
The issues, tracked as CVE-2025-3462 (CVSS score of 8.4) and CVE-2025-3463 (CVSS score of 9.4) could be exploited via crafted HTTP requests to interact with DriverHub.
According to Asus, the flaws are the result of a lack of sufficient validation and could be exploited to interact with the software’s features and affect system behavior, respectively. The company also says that “laptops, desktop computers, or other endpoints” are not affected by these bugs.
MrBruh, however, explains that the security defects can be exploited for remote code execution, and that they exist in the way the pre-installed software receives and executes packages.
DriverHub runs in the background, communicating with driverhub.asus.com to notify users of the drivers that should be installed or updated. It relies on the remote procedure call (RPC) protocol and hosts a local service to which the website can connect via API requests.
According to MrBruh, while DriverHub would only accept RPC requests from driverhub.asus.com, switching the origin – to ‘driverhub.asus.com.*’ – would allow an unauthorized user to send requests to it.
Additionally, the driver’s UpdateApp endpoint would accept crafted URL parameters (if they contained ‘.asus.com’), save a file with a specified name, download any file with any extension, automatically execute signed files with administrative privileges, and not delete files that fail the signature check.
Looking into a standalone Wi-Fi driver that was distributed in a ZIP archive, MrBruh discovered that it was possible to target the UpdateApp endpoint with an exploit leveraging a silent install feature to execute any file.
The researcher demonstrated how the vulnerabilities can be exploited for one-click remote code execution by getting the targeted user to visit a malicious webpage hosted on a driverhub.asus.com.* subdomain.
MrBruh reported the vulnerabilities on April 8 and Asus rolled out fixes for them on May 9. The researcher says he has not seen any domain with driverhub.asus.com.* registered, “meaning it is unlikely that this was being actively exploited” before his report.
“I asked Asus if they offered bug bounties. They responded saying they do not, but they would instead put my name in their ‘hall of fame’,” MrBruh notes.
Related: Improperly Patched Samsung MagicINFO Vulnerability Exploited by Botnet
Related: Second OttoKit Vulnerability Exploited to Hack WordPress Sites
Related: Critical Vulnerability in AI Builder Langflow Under Attack
Related: Critical Commvault Vulnerability in Attacker Crosshairs
