- A security researcher discovered a major flaw in ASUS DriverHub
- The flaw allows users to run malicious code remotely
- A patch was already released
DriverHub, ASUS’ official driver management tool, was carrying a critical vulnerability that allowed threat actors to execute malicious code on affected devices, remotely. It was recently discovered, and a patch was released, so users are urged to apply it as soon as possible to mitigate potential risks.
ASUS DriverHub is a piece of software that automatically downloads and installs the latest drivers for ASUS devices including laptops, motherboards, and peripherals. Its goal is to keep the devices updated at all times, without needing too much manual intervention. According to BleepingComputer, DriverHub comes preinstalled on some devices, and constantly runs in the background (which makes sense if it is to keep software updated at all times).
Now, a security researcher with the alias MrBruh said that DriverHub suffered from poor validation of commands. This allowed him to chain together two vulnerabilities, now tracked as CVE-2025-3462, and CVE-2025-3463, and get the tool to run malicious software.
Releasing the patch
He reported his findings on April 8, and ASUS came back with a patch ten days later, on April 18. Although, the company says the disruptive potential of the flaw is somewhat limited: “This issue is limited to motherboards and does not affect laptops, desktop computers, or other endpoints,” ASUS said, describing the CVE.
It still “strongly recommended” users apply the patch. “This update includes important security updates and ASUS strongly recommends that users update their ASUS DriverHub installation to the latest version,” the company said in a security advisory.
“The latest Software Update can be accessed by opening ASUS DriverHub, then clicking the “Update Now” button.” Ironically enough, the tool that handles all driver installs automatically needs to be patched – manually.
According to CyberInsider, the vulnerability window has been open for “an indeterminate period” but since there are no reports of abuse in the wild, it’s safe to assume that MrBruh was the first one to spot the bug.
Via BleepingComputer
