The US Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw affecting ASUS Live Update to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2025-59374 (CVSS score: 9.3), is described as “embedding a malicious code vulnerability” introduced by a supply chain compromise, which could allow an attacker to perform unintended actions.
“Certain versions of the ASUS Live Update client were distributed with unauthorized changes introduced through a supply chain compromise,” according to the flaw description published on CVE.org. “The modified build may cause unintended behavior on devices that meet certain targeting conditions. Only devices that meet these conditions and have installed the compromised version are affected.”
It’s worth noting that this vulnerability refers to a supply chain attack that was revealed in March 2019, when ASUS admitted that the Advanced Persistent Threat (APT) group had compromised some of its servers as part of a campaign codenamed “Operation ShadowHammer” by Kaspersky Lab. This activity is said to have been carried out from June to November 2018.
The Russian cybersecurity firm said the aim of the attack was to “surgically target” an unknown group of users whose machines were identified by the MAC address of their network adapter. The trojanized version of the artifact contained a hardcoded list of over 600 unique MAC addresses.
ASUS noted at the time that “a sophisticated attack on our Live Update servers resulted in malicious code being implanted on a small number of devices in an attempt to target a very small and specific group of users.” This issue was fixed in Live Update software version 3.6.8.
This development comes weeks after ASUS officially announced that its Live Update client has reached end of support (EOS) on December 4, 2025. The final version is 3.6.15. As a result, CISA has asked Federal Civilian Executive Branch (FCEB) agencies that still rely on this tool to cease using it by January 7, 2026.
“ASUS is committed to software security and continually provides real-time updates to help protect and harden your devices,” the company said on its support page. “Automatic, real-time software updates are available via the ASUS Live Update application. To resolve security issues, please update ASUS Live Update to V3.6.8 or a later version.”
Source link
