ASUS DriverHub flaw let malicious sites run commands with admin rights | Update recommended

[ZeroStrawberries]

Content source

https://www.bleepingcomputer.com/news/security/asus-driverhub-flaw-let-malicious-sites-run-commands-with-admin-rights/

The ASUS DriverHub driver management utility was vulnerable to a critical remote code execution flaw that allowed malicious sites to execute commands on devices with the software installed.
The flaw was discovered by an independent cybersecurity researcher from New Zealand named Paul (aka "MrBruh"), who found that the software had poor validation of commands sent to the DriverHub background service.
This allowed the researcher to create an exploit chain utilizing flaws tracked as CVE-2025-3462 and CVE-2025-3463 that, when combined, achieve origin bypass and trigger remote code execution on the target.

DriverHub is ASUS's official driver management tool that is automatically installed on the first system boot when utilizing certain ASUS motherboards.
This software runs in the background, automatically detecting and fetching the latest driver versions for the detected motherboard model and its chipset.
Once installed, the tool remains active and running in the background via a local service on port 53000, continually checking for important driver updates.
Meanwhile, most users don't even know such a service is constantly running on their system.
That service checks the Origin Header of incoming HTTP requests to reject anything that doesn't come from 'driverhub.asus.com.'
However, this check is poorly implemented, as any site that includes that string is accepted even if it's not an exact match to ASUS's official portal.
The second issue lies in the UpdateApp endpoint, which allows DriverHub to download and run .exe files from ".asus.com" URLs without user confirmation.

By spoofing the Origin Header to something like 'driverhub.asus.com.mrbruh.com,' the weak validation check is bypassed, so DriverHub accepts the commands.
In the researcher's demonstration, the commands order the software to download a legitimate ASUS-signed 'AsusSetup.exe' installer from the vendor's download portal, along with a malicious .ini file and .exe payload.
The ASUS-signed installer is silently run as admin and uses the configuration information in the .ini file. This ini file directs the legitimate ASUS driver installer to launch the malicious executable file.
The attack is also made possible by the tool failing to delete files that fail signature checks, like the .ini and payload, which are kept on the host after their download.

ASUS received the researcher's reports on April 8, 2025, and implemented a fix on April 18, after validating it with MrBruh the day before. The hardware giant did not offer the researcher any bounty for his disclosure.

However, ASUS is clearer in its security bulletin, advising users to quickly apply the latest update.
"This update includes important security updates and ASUS strongly recommends that users update their ASUS DriverHub installation to the latest version," reads the bulletin.
"The latest Software Update can be accessed by opening ASUS DriverHub, then clicking the "Update Now" button."

Additional article: Researchers found one-click RCE in ASUS ’s pre-installed software DriverHub