One-Click RCE Found in ASUS's Pre-Installed Software DriverHub
A recent discovery by security researcher 'MrBruh' has revealed two critical vulnerabilities in ASUS's pre-installed software, DriverHub, which allow for remote code execution via crafted HTTP requests. The flaws, tracked as CVE-2025-3462 and CVE-2025-3463, have a CVSS score of 8.4 and 9.4, respectively, making them significant security concerns.
DriverHub is a driver updater with no graphical user interface (GUI) that runs a background process communicating with driverhub.asus.com via RPC on localhost port 53000. Researchers found that while it only accepts requests with an origin header set to "driverhub.asus.com," a flawed wildcard match allowed requests from domains like "driverhub.asus.com.mrbruh.com."
This vulnerability enables attackers to exploit DriverHub's features, potentially installing malicious software on systems running the driver. Furthermore, researchers discovered that ASUS DriverHub exposes several local RPC endpoints, including the dangerous UpdateApp endpoint, which downloads and installs executables with admin rights if signed by Asus.
MrBruh analyzed JavaScript and decompiled code to uncover a critical weakness in the zip file used during driver installations. Specifically, the INI setting "SilentInstallRun" allows for arbitrary command execution during silent installs, creating an entry point for remote code execution (RCE).
The Exploit Chain
Researchers found that the exploit chain abuses Asus DriverHub's update mechanism: a malicious site on a spoofed subdomain sends requests to download a benign-sounding executable and a crafted AsusSetup.ini. Then, it downloads a legitimate, signed AsusSetup.exe, which runs silently with admin rights and executes the attacker's payload (calc.exe) as specified in the .ini file.
MrBruh discovered this vulnerability on April 7 and reported the vulnerabilities to ASUS on April 8. The company released security updates on May 9.
The Response from ASUS
When questioned about bug bounty programs, MrBruh was told that ASUS does not offer such initiatives but would instead add his name to their "hall of fame." While this response may seem disappointing for a researcher seeking financial recognition, it is understandable given the limited resources of a small startup like ASUS.
Follow-up
As researchers and security experts continue to monitor ASUS's DriverHub for potential vulnerabilities, it is essential to raise awareness about the importance of regular software updates and responsible disclosure practices. By doing so, we can work together to create a safer digital landscape for all users.
Stay informed about the latest security developments by following me on Twitter: @securityaffairs and Facebook, as well as Mastodon.