Hidden vulnerability in Asus motherboards revealed by a New Zealand programmer

A New Zealand programmer, Paul, accidentally discovered a serious vulnerability in Asus motherboards related to the DriverHub software, a service that facilitates the automatic installation of drivers. This feature, enabled by default in the BIOS, manifests itself in the form of a small local web server that listens on port 53000 and allows communication via Remote Procedure Call (RPC) with specific web pages. The intent was to facilitate users by updating Asus drivers and utilities without interference, but this architecture exposed a significant attack surface if the authentication and authorization controls were insufficient. After Paul overcame his initial skepticism and installed the Asus motherboard, he noticed that the feature was activated automatically and, once he logged into Windows, he received a request to install DriverHub. From that moment on, he began to delve into the behavior of this local server, finding clues that suggested potential security flaws.

How DriverHub exposes your system to risk and the security bypass mechanism

DriverHub works by launching a local web server accessible only at 127.0.0.1 on port 53000, which accepts commands from web pages supposedly hosted on the official domain driverhub.asus.com. However, the check implemented to filter requests based on the “Origin” HTTP header turned out to be superficial: it does not perform an exact comparison, but a check for the inclusion of the string “driverhub.asus.com”, thus opening the door to any domain containing this text sequence. An attacker could register fake domains such as driverhub.asus.com.mysite.com and trick the user into visiting them, thus sending malicious commands to the local DriverHub server. This weakness potentially allowed bypassing CSRF protection, allowing the injection of sensitive requests. The developer also discovered that DriverHub exposes numerous RPC endpoints with critical functions, including hardware data collection, forced reboots, and most notably application updates by downloading and executing files from external URLs.

Attack chain and high risk of remote code execution via undeleted files

A key point of the vulnerability is in the UpdateApp function, which permissively accepts URLs containing the string “.asus.com”, allowing manipulated links to bypass validation. Even if only code digitally signed by Asus is executed, downloaded unsigned files are not deleted but kept in the download folder. This is where the silent mode of AsusSetup.exe, a key component for automatic driver installation, comes into play, which reads and applies instructions from a local AsusSetup.ini file. By manipulating this file, an attacker can inject arbitrary commands to be executed with administrator privileges. Ultimately, a sequence of requests sent from a malicious site in a specially crafted domain can download a malicious executable, a malicious .ini file, and the Asus-signed program in order to use the altered configuration file to launch arbitrary code with elevated privileges.

Asus' response, limited recognition, and implications for system integrators

The report was submitted on April 7, Asus acted quickly and released the patch by April 18, publishing two CVEs with very high CVSS scores (8.4 and 9.4). Despite the critical severity, Asus downplayed the vulnerability description without offering a reward, given the lack of an official bug bounty program. The flaw affects any desktop or laptop device with DriverHub, in addition to the motherboards it was initially associated with. For IT specialists and system integrators, this case is a clear call to strengthen security procedures on pre-installed software and BIOS automations, as well as underlining the importance of thorough auditing of services that expose local APIs. Having rigorous control systems and monitoring at the network level can prevent exploits by abusing seemingly useful but potentially dangerous mechanisms if misconfigured.