- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability affecting ASUS Live Update to its Known Exploited Vulnerabilities catalog.
- The flaw, CVE-2025-59374, involves an embedded malicious code vulnerability caused by a supply chain compromise.
- The issue originated from a 2018 attack known as Operation ShadowHammer targeting select devices via their MAC addresses.
- ASUS has ended support for the Live Update client as of December 4, 2025, recommending users upgrade to version 3.6.8 or later.
- CISA advised federal agencies to discontinue use of the tool by January 7, 2026, due to ongoing security risks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included a critical vulnerability impacting ASUS Live Update software in its Known Exploited Vulnerabilities (KEV) catalog as of December 2025. This action was prompted by observed active exploitation of the flaw.
The vulnerability, tracked as CVE-2025-59374, received a CVSS score of 9.3 and involves malicious code embedded into the software through unauthorized changes made during a supply chain compromise. According to the CVE description, affected devices met specific targeting conditions and ran compromised versions of the Live Update client, which allowed attackers to cause the devices to perform unintended actions.
This vulnerability traces back to a supply chain attack uncovered in March 2019, when ASUS confirmed that an advanced persistent threat group had breached some of its servers. The incident, called Operation ShadowHammer by cybersecurity firm Kaspersky, took place between June and November 2018. The attackers embedded trojanized updates with a hard-coded list containing over 600 specific network adapter MAC addresses to target particular systems.
At that time, ASUS acknowledged the attack, stating, “A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group.” The company resolved the issue by releasing Live Update version 3.6.8.
Recently, ASUS formally announced the end of support (EOS) for the Live Update client as of December 4, 2025, with the final version being 3.6.15. Following this, CISA urged federal agencies still using the software to discontinue it by January 7, 2026, due to unresolved security concerns.
ASUS stated on a support page that it is committed to software security and encouraged users to update the Live Update software to version 3.6.8 or later to address security risks. The company offers automatic, real-time updates through the Live Update application to protect devices from vulnerabilities.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Nexo Becomes First Crypto Partner in Grand Slam History Through Australian Open Deal
- Crypto Analyst Dark Defender Sets XRP Target at $5.85 After Accurate Forecast
- POPOLOGY®: The Decentralized Web3 Broadcasting Ecosystem
- Coinbase to Add Stock Trading, Users Can Trade Stocks With Crypto
- 100+ Crypto ETFs Expected in 2026, Many to Close Soon
