ASUS patches RCE flaw in DriverHub utility

ASUS has recently issued security updates for its DriverHub utility, addressing two critical vulnerabilities that posed significant remote code execution (RCE) risks. DriverHub, a tool designed to automatically identify motherboard models and provide relevant driver updates, communicates with an ASUS-hosted site to fetch this information. The identified flaws could be exploited by threat actors to remotely execute malicious code on affected systems.

The first flaw, tracked as CVE-2025-3462 and rated 8.4 on the CVSS scale, stems from a failure to properly validate request origins. This could allow threat actors to interact with the application through forged HTTP requests. The second vulnerability, CVE-2025-3463 (CVSS 9.4), involves improper certificate validation, which could let untrusted sources manipulate the system by sending crafted requests to the update endpoint.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

The flaw can be exploited by luring a victim to a malicious subdomain resembling ASUS’s legitimate site (e.g., driverhub.asus.com.[malicious-domain].com). This would initiate a download of ASUS’s own setup executable trojanized with a modified .ini file to execute a malicious payload silently.

ASUS was informed of the vulnerabilities on April 8, 2025, and released a patch on May 9. The company has emphasized that no in-the-wild exploitation has been detected so far and urges all users to update their DriverHub installations immediately through the built-in update feature to ensure their systems remain secure.

Source: Bleeping Computer

Analysis

While CVE-2025-3462 and CVE-2025-3463 have not yet been observed being actively exploited, the techniques they enable—the manipulation of .ini files to control execution flow and the abuse of weak origin or certificate validation—have been reliably used in real-world attacks by both nation-state actors and cybercriminals.

For example, in 2017, some variants of the WannaCry ransomware also used configuration files to guide dropper behavior, executing system-level scripts conditionally based on the environment.

Additionally, attackers have exploited .ini files in game mod loaders and cheat engines, especially between 2019 and 2022, by modifying configuration entries to redirect DLL or executable loading to malicious payloads. This technique was notably used in infected modding tools for games like Skyrim and Grand Theft Auto V, allowing malware to run under the guise of legitimate game modifications.

Given that history shows that bugs like CVE-2025-3462 and CVE-2025-3463 have led to widespread compromise and major security incidents, it’s likely that it won’t be long before they are actively exploited. Thus, it’s imperative that users update impacted devices as soon as possible.

Mitigation

Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities in software. Field Effect MDR users are automatically notified if vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect strongly advises impacted users to install the necessary patches in accordance with ASUS’s advisory as soon as possible.

Related Articles

• ASUS issues own patch for severe AMI MegaRAC vulnerability
• Flaws in DrayTek routers cause widespread internet disruption
• New Ballista botnet targets vulnerabilities in popular TP-Link routers