The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting ASUS Live Update to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2025-59374 (CVSS score: 9.3), has been described as an “embedded malicious code vulnerability” introduced by means of a supply chain compromise that could allow attackers to perform unintended actions.
“Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise,” according to a description of the flaw published in CVE.org. “The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected.”
It’s worth noting that the vulnerability refers to a supply chain attack that came to light in March 2019, when ASUS acknowledged that an advanced persistent threat (APT) group managed to breach some of its servers as part of a campaign codenamed Operation ShadowHammer by Kaspersky. The activity is said to have run between June and November 2018.
The Russian cybersecurity company said the goal of the attacks was to “surgically target” an unknown pool of users whose machines were identified by their network adapters’ MAC addresses. The trojanized versions of the artifacts came embedded with a hard-coded list of more than 600 unique MAC addresses.
“A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group,” ASUS noted at the time. The issue was fixed in version 3.6.8 of the Live Update software.
The development comes a few weeks after ASUS formally announced that the Live Update client has reached end-of-support (EOS) as of December 4, 2025. The last version is 3.6.15. As a result, CISA has urged Federal Civilian Executive Branch (FCEB) agencies still relying on the tool to discontinue its use by January 7, 2026.
“ASUS is committed to software security and consistently provides real-time updates to help protect and enhance devices,” the company said in a support page. “Automatic, real-time software updates are available via the ASUS Live Update application. Please update the ASUS Live Update to V3.6.8 or higher version to resolve security concerns.”
