CVE-2025-3462 & CVE-2025-3463: ASUS DriverHub Flaws Enable RCE

ASUS DriverHub, a utility built to simplify driver updates, was found to have two high-risk vulnerabilities: CVE-2025-3462 and CVE-2025-3463. Discovered and reported in April 2025, these issues have since been patched by ASUS, but during the exposure window, attackers could have exploited this tool to execute code remotely under the guise of a legitimate update process.

Details of the Recent ASUS DriverHub Vulnerabilities

Both flaws revolve around improper validation mechanisms that could let malicious actors abuse DriverHub’s update functionality.

CVE-2025-3462 (CVSSv4: 8.4) stems from weak origin validation. The application was intended to accept requests only from the official ASUS subdomain but was tricked by cleverly crafted domain names such as driverhub.asus.com.evil.com.
CVE-2025-3463 (CVSSv4: 9.4) relates to inadequate certificate verification. This allowed untrusted sites to mimic legitimate communications and influence the tool’s behavior.

Security researcher MrBruh discovered and responsibly disclosed the vulnerabilities in early April 2025. ASUS released fixes on May 9, urging all users to apply updates immediately.

Track the latest vulnerabilities with SOCRadar’s Vulnerability Intelligence

New vulnerabilities are disclosed daily, some weaponized within days. SOCRadar’s Vulnerability Intelligence module gives you the insight needed to take action fast.

Prioritized CVE alerts based on exploitability and relevance
Enriched context from threat actors, malware, and proof-of-concept activity
Patch timelines and vendor advisories all in one place

How the Exploit Works

According to the researcher, the attack method is deceptively simple. An attacker needed to set up a fake domain resembling ASUS’s, and host three components:

A legitimate version of AsusSetup.exe
A modified AsusSetup.ini with the SilentInstallRun field pointing to a malicious script
The script or payload intended for execution

When DriverHub’s background process initiated an update, it could unknowingly run this setup file with administrative privileges, executing the attacker’s code silently.

What makes this exploit chain dangerous is the tool’s silent installation behavior. During updates, DriverHub passes the ‘-s’ flag to AsusSetup.exe, allowing it to run scripts specified in the accompanying INI file without any user interface. This creates an opportunity for attackers to install malware with minimal user interaction, potentially via a one click attack.

For a detailed breakdown of how the exploit works, read the researcher’s full analysis on ASUS vulnerabilities.

Who’s Affected?

The flaws are limited to systems with ASUS motherboards that include the DriverHub tool. Laptops and prebuilt desktops from ASUS are reportedly unaffected.

While there is no current evidence of real-world exploitation, the severity of these flaws demands immediate attention.

Users are strongly advised to:

Launch ASUS DriverHub
Click “Update Now” to apply the latest patch
Avoid visiting unknown domains mimicking ASUS’s update servers

Official patch information can be found in ASUS’s security advisory.

SOCRadar’s Attack Surface Management (ASM) module, Company Vulnerabilities

Stay one step ahead by managing what’s visible to threat actors. SOCRadar’s Attack Surface Management (ASM) module continuously maps your digital footprint, helping you find and fix weaknesses before they are exploited.

Discover internet-facing assets, forgotten subdomains, and misconfigured services
Monitor third-party risks and shadow IT
Detect impersonating domains and exposed ports