Article Title:
CISA Identifies Critical ASUS Live Update Vulnerability Amid Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a significant vulnerability in ASUS Live Update to its Known Exploited Vulnerabilities (KEV) catalog, following evidence of active exploitation. This vulnerability, designated as CVE-2025-59374 with a CVSS score of 9.3, involves embedded malicious code introduced through a supply chain compromise, potentially allowing attackers to execute unauthorized actions on affected systems.
According to CVE.org, certain versions of the ASUS Live Update client were distributed with unauthorized modifications resulting from a supply chain compromise. These altered versions could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected.
This vulnerability traces back to a supply chain attack disclosed in March 2019, when ASUS acknowledged that an advanced persistent threat (APT) group had breached some of its servers. The campaign, known as Operation ShadowHammer, was active between June and November 2018. The attackers aimed to surgically target a specific group of users identified by their network adapters’ MAC addresses. The compromised versions of ASUS Live Update contained a hard-coded list of over 600 unique MAC addresses.
At that time, ASUS stated that a small number of devices had been implanted with malicious code through a sophisticated attack on their Live Update servers, targeting a very small and specific user group. The issue was addressed in version 3.6.8 of the Live Update software.
The recent development comes shortly after ASUS announced that the Live Update client reached end-of-support (EOS) as of December 4, 2025, with the final version being 3.6.15. Consequently, CISA has urged Federal Civilian Executive Branch (FCEB) agencies still using the tool to discontinue its use by January 7, 2026.
ASUS has emphasized its commitment to software security, consistently providing real-time updates to protect and enhance devices. The company advises users to update the ASUS Live Update application to version 3.6.8 or higher to resolve security concerns.
