Critical security vulnerability in automatic update system for Asus mainboards
An automatic update system that has been criticized by experts for years is once again introducing a serious security vulnerability.
Current Asus mainboards for AMD and Intel platforms use the Armoury Crate and DriverHub.
(Image: Asus)
Anyone running a desktop PC with an Asus mainboard under Windows should install updates for the "Armory Crate" and "DriverHub" functions. These functions contain errors that attackers can misuse to remotely install malware on the computer. This is why the severity of the vulnerabilities CVE-2025-3462 and CVE-2025-3463 is also classified as "high" and "critical" respectively.
Asus distributes updates for "DriverHub" itself via this faulty automatic update system and provides Armoury Crate in the corrected version v6.1.13 for download.
What is annoying about the vulnerabilities is that they use a concept that experts have been criticizing as insecure for more than ten years. The automatic download function for Windows software anchored in the UEFI BIOS has already been used several times for attacks, including the "Lojax" attack using the UEFI rootkit.
Driver reloader anchored in the BIOS
The source of the problem are Windows functions for the automatic installation of software that are stored in the flash memory of the mainboard for the UEFI BIOS.
The motherboard manufacturer packs executable files or drivers into the BIOS image and enters them into the Windows Platform Binary Table (WPBT). Windows evaluates this ACPI table (Advanced Configuration and Power Interface) after booting and installs the software linked there.
This automatic installation therefore packs executable files into the system even without an Internet connection. These are always reinstalled, even if all data carriers are deleted, overwritten or replaced. Careful checks of code signatures and the download origin are therefore important as protection against malware.
However, the New Zealand programmer "MrBruh" noticed in April 2025 that Asus had implemented these security checks inadequately. This allowed him to download arbitrary files from a suitably named web server and install them with administrator rights.
According to MrBruh, however, it is unlikely that the vulnerability was exploited.
Videos by heise
Repeated errors
Even before the switch to UEFI, there were BIOS functions for installing executable files from the mainboard's flash memory under Windows.
The Computrace anti-theft tool from the Canadian company AbsoluteSoftware for notebooks was particularly widespread. It has been known since 2014 that the Computrace implementation contained significant security vulnerabilities.
Vulnerabilities in the Lenovo Service Engine for Lenovo notebooks, which also integrates the WPBT, became known as early as 2015.
In 2018, Eset reported that the Lojax attack also used such functions. Nevertheless, Asus has been using Armoury Crate since 2018 at the latest.
In 2023, experts from Eclypsium discovered that Gigabyte had also given many motherboards an automatic update with security holes.
A scan at Virustotal.com shows whether a BIOS update contains executable Windows files or drivers.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(ciw)
