A significant security flaw has been identified in ASUS’s DriverHub, a driver management utility for ASUS devices, which could allow malicious websites to execute commands with administrative privileges on affected systems. Uncovered by cybersecurity researcher “MrBruh”, the flaw primarily stems from insufficient validation of incoming commands to the DriverHub background service.
The discovered vulnerability enables an exploit chain involving CVE-2025-3462 and CVE-2025-3463, allowing attackers to bypass origin checks and perform remote code execution on targeted devices. ASUS DriverHub is typically installed automatically upon the initial boot of certain ASUS motherboards, operating in the background to identify and update necessary drivers.
DriverHub’s security mechanism checks the Origin Header of HTTP requests to filter out non-ASUS sources. However, the flawed implementation accepts any URL containing the string ‘driverhub.asus.com’, regardless of its exact match status. This weakness opens a pathway for remote command execution through fake origins.
DriverHub operates without a graphical user interface, functioning as a background process that communicates with driverhub.asus.com to manage driver installations and updates. It uses Remote Procedure Call (RPC) to interact with a local HTTP service on port 53000, creating a potential security risk. If RPC calls are not properly secured, they can be exploited. The UpdateApp endpoint, in particular, allows any file containing ‘.asus.com’ in its URL to be downloaded and executed with administrative rights, bypassing critical signature checks.
Exploiting the UpdateApp endpoint
Compounding this issue is a vulnerability in the UpdateApp endpoint within DriverHub, permitting the download and execution of executable files from “.asus.com” URLs without requiring user consent. Attackers can leverage this flaw by redirecting users to harmful websites that send “UpdateApp requests” to a local service at ‘http://127.0.0.1:53000’. By disguising the Origin Header as ‘driverhub.asus.com.mrbruh.com’, attackers circumvent existing validation protocols.
Demonstrations by MrBruh showed that DriverHub could be manipulated to download a legitimate ASUS-signed ‘AsusSetup.exe’ installer along with malicious payloads. The installer runs with administrative rights due to inadequate file signature checks, facilitating unauthorised access and control.
ASUS was notified of these vulnerabilities on 8 April 2025. The computer hardware company released a patch by 18 April after validating the fix with MrBruh.
On Monday, ASUS announced an update for its Armoury Crate software to address CVE-2025-1533. According to the company, users can update their systems via the “Settings” > “Update Center” tab in Armoury Crate.
Despite ASUS’s initial description suggesting that only motherboards were affected, MrBruh clarified that devices running DriverHub on laptops and desktops are also vulnerable. ASUS advises users to apply software updates immediately to reduce exposure to these security threats.
Paul also monitored certificate transparency logs and found no evidence of other TLS certificates containing the “driverhub.asus.com” string, indicating that these vulnerabilities have not been exploited in the wild.
Read more: Microsoft identifies security risks in default Kubernetes Helm charts
