The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw affecting ASUS Live Update to its Known Exploited Vulnerabilities (KEV) catalog, confirming evidence of active exploitation in the wild.
The vulnerability, tracked as CVE-2025-59374 and assigned a CVSS score of 9.3, is classified as an embedded malicious code vulnerability resulting from a historic supply chain compromise. Successful exploitation could allow threat actors to execute unintended and potentially malicious actions on targeted systems.
According to the official CVE record, certain versions of the ASUS Live Update client were distributed with unauthorized and malicious modifications introduced during a supply chain breach. These compromised builds were engineered to activate only on devices that met highly specific targeting conditions, limiting exposure but increasing stealth and impact.
Notably, this vulnerability is tied to the infamous Operation ShadowHammer campaign disclosed in March 2019. At the time, ASUS confirmed that an advanced persistent threat (APT) group had infiltrated its update servers, distributing trojanized software updates between June and November 2018. The campaign was uncovered by Kaspersky, which described the operation as a highly selective attack designed to “surgically target” a narrow set of victims.
Kaspersky researchers revealed that the malicious ASUS Live Update binaries contained a hard-coded list of more than 600 unique MAC addresses, enabling attackers to activate the payload only on preselected machines. ASUS later acknowledged that a limited number of users were affected and emphasized that the attack was intended for a very small and specific group.
ASUS addressed the issue by releasing Live Update version 3.6.8, which removed the malicious components and strengthened update integrity checks. However, the situation has evolved further in recent weeks.
Earlier this month, ASUS officially announced that ASUS Live Update reached end-of-support (EOS) on December 4, 2025, with version 3.6.15 being the final release. In response, CISA has urged all Federal Civilian Executive Branch (FCEB) agencies still using the tool to discontinue its use by January 7, 2026, citing unacceptable security risks.
“ASUS is committed to software security and continuously provides real-time updates to help protect and enhance devices,” the company stated in a support advisory. ASUS has reiterated that users should upgrade to Live Update v3.6.8 or later to mitigate known security issues, though the EOS status effectively signals the end of long-term protection.
Security takeaway: Organizations and individual users are strongly advised to remove ASUS Live Update from affected systems, transition to supported update mechanisms, and review endpoint security controls to detect any signs of past compromise.