The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in ASUS Live Update software to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, tracked as CVE-2025-59374, stems from a supply chain attack that occurred years ago, with evidence now suggesting ongoing exploitation. The vulnerability carries a critical CVSS score of 9.3.
Key Takeaways
- A critical vulnerability (CVE-2025-59374) in ASUS Live Update software has been added to CISA’s KEV catalog.
- The flaw is a result of a supply chain attack dating back to 2018-2019, known as Operation ShadowHammer.
- Despite the vulnerability’s age, CISA indicates evidence of active exploitation.
- ASUS Live Update software has reached its end-of-support (EOS) in December 2025.
- Users are advised to uninstall the software due to its discontinued support and the persistent security risk.
The ShadowHammer Attack
The vulnerability is linked to the “ShadowHammer” supply chain attack, which took place between June and November 2018. During this period, attackers compromised ASUS servers and distributed modified versions of the ASUS Live Update client. These compromised versions contained malicious code that could perform unintended actions on devices meeting specific targeting conditions, such as having certain MAC addresses.
CISA’s Warning and KEV Catalog
CISA’s inclusion of CVE-2025-59374 in its KEV catalog signifies that the vulnerability is known to be exploited in the wild. This addition mandates Federal Civilian Executive Branch (FCEB) agencies to address the vulnerability by a specific deadline, January 7, 2026. While CISA acknowledges that not all KEV additions indicate new exploitation, the agency’s stance suggests a renewed concern over this particular flaw.
ASUS | Live Update
CVE-2025-59374
ASUS Live Update Embedded Malicious Code Vulnerability: ASUS Live Update contains an embedded malicious code vulnerability client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Date Added: 2025-12-17
Due Date: 2026-01-07
End of Support and User Action
ASUS officially announced the end of support for the ASUS Live Update application on December 4, 2025, with version 3.6.15 being the last release. Given that the software is no longer supported and the persistent risk of exploitation, security experts strongly recommend that all ASUS users uninstall the Live Update software immediately. While ASUS previously recommended updating to version 3.6.8 or higher to mitigate security concerns, the discontinuation of support makes continued use inadvisable.
Nuance in Vulnerability Reporting
It is important to note that the CVE assignment and CISA’s KEV listing for CVE-2025-59374 appear to be a retrospective classification of a well-documented historical attack. Updates to ASUS’s support pages, while recent, do not necessarily indicate a new or emerging threat but rather a formalization of past events. However, the core message remains: the software is unsupported and carries a significant risk.
Via Ethical Hacking
