The United States Cybersecurity and Infrastructure Security Agency has added a critical security flaw affecting ASUS Live Update to its Known Exploited Vulnerabilities (KEV) catalog, citing confirmed evidence of active exploitation. The alert highlights renewed concerns around a long standing supply chain issue tied to the ASUS software ecosystem.
The vulnerability, tracked as CVE-2025-59374 with a CVSS score of 9.3, is classified as an embedded malicious code flaw. According to official documentation, the issue originated from unauthorized modifications introduced through a supply chain compromise, allowing affected systems to execute unintended actions under specific conditions.
As described by CISA, certain versions of the ASUS Live Update client were distributed with altered code. Only devices that met predefined targeting criteria and installed these compromised builds were impacted. This selective nature made the activity difficult to detect and limited exposure to a specific subset of users.
The flaw is linked to a historic supply chain attack disclosed in March 2019, when ASUS confirmed that an advanced persistent threat group had breached parts of its update infrastructure. The campaign, later named Operation ShadowHammer by Kaspersky, is believed to have been active between June and November 2018.
Investigators reported that the attackers embedded a hard coded list of more than 600 unique MAC addresses into trojanized update packages. Systems matching these network identifiers were selectively targeted, enabling what researchers described as highly surgical attacks against an unknown group of victims.
At the time, ASUS stated that only a very small number of devices were affected and released a fix in version 3.6.8 of the Live Update software. However, the issue has resurfaced in light of new evidence showing continued exploitation activity.
The renewed warning follows a recent announcement by ASUS confirming that the Live Update client officially reached end of support on December 4, 2025. The final released version is 3.6.15. In response, CISA has urged Federal Civilian Executive Branch agencies that still rely on the tool to discontinue its use by January 7, 2026.
ASUS stated on its support portal that it remains committed to software security and user protection. The company reiterated that users should update to version 3.6.8 or later to address known security risks. With the product now unsupported, security agencies continue to recommend transitioning away from ASUS Live Update entirely to reduce exposure.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
