The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting ASUS Live Update to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2025-59374 (CVSS score: 9.3), has been described as an “embedded malicious code vulnerability” introduced by means of a supply chain compromise that could allow attackers to perform unintended actions.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise,” according to a description of the flaw published in CVE.org. “The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected.”
It’s worth noting that the vulnerability refers to the supply chain attack that came to light in March 2019, when ASUS acknowledged that an advanced persistent threat (APT) group managed to breach some of its servers as part of a campaign codenamed Operation ShadowHammer by Kaspersky. The activity is said to have run between June and November 2018.
The Russian cybersecurity company said the goal of the attacks was to “surgically target” an unknown pool of users whose machines were identified by their network adapters’ MAC addresses. The trojanized versions of the artifacts came embedded with a hard-coded list of more than 600 unique MAC addresses.
“A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group,” ASUS noted at the time. The issue was fixed in version 3.6.8 of the Live Update software.
The development comes a few weeks after ASUS formally announced that the Live Update client has reached end-of-support (EOS) as of December 4, 2025. The last version is 3.6.15. As a result, CISA has urged Federal Civilian Executive Branch (FCEB) agencies still relying on the tool to discontinue its use by January 7, 2026.
“ASUS is committed to software security and consistently provides real-time updates to help protect and enhance devices,” the company said in a support page. “Automatic, real-time software updates are available via the ASUS Live Update application. Please update the ASUS Live Update to V3.6.8 or higher version to resolve security concerns.”
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances