Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting ASUS Live Update to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2025-59374 (CVSS score: 9.3), has been described as an "embedded malicious code vulnerability" introduced by means of a supply chain compromise
Analysis Summary
# Vulnerability: Critical ASUS Live Update Supply Chain Compromise
## CVE Details
- CVE ID: CVE-2025-59374
- CVSS Score: 9.3 (Critical)
- CWE: Not explicitly provided, associated with supply chain compromise leading to embedded malicious code execution.
## Affected Systems
- Products: ASUS Live Update client
- Versions: Certain versions of the ASUS Live Update client distributed after a supply chain compromise (specific version numbers for affected builds are not listed, but the fix starts at v3.6.8).
- Configurations: Only devices meeting specific, undisclosed targeting conditions (which involved hard-coded MAC addresses) and which installed the compromised versions.
## Vulnerability Description
This critical vulnerability stems from a supply chain compromise that occurred during attacks traced back to 2018 (Operation ShadowHammer campaign). Unauthorized, malicious code was embedded into certain builds of the ASUS Live Update client software before they were distributed to end-users. These modified builds could cause devices matching specific internal criteria (related to MAC addresses) to perform unintended actions. The flaw is described as an "embedded malicious code vulnerability."
## Exploitation
- Status: Exploited in the wild (Added to CISA KEV catalog based on evidence of active exploitation).
- Complexity: Based on the historical context of the ShadowHammer campaign, initial exploitation required sophisticated supply chain access, but widespread exploitation of already compromised versions may be simpler now.
- Attack Vector: The initial compromise was against ASUS servers; exploitation targeted end-user devices that received the trojanized software.
## Impact
*Note: Specific impact details are inferred from the high CVSS score and the nature of the attack.*
- Confidentiality: High (Malicious code execution could lead to data theft).
- Integrity: High (The attacker could perform unintended actions on the system).
- Availability: Medium to High (Depending on the nature of the dropped malicious code).
## Remediation
### Patches
- Patch: Update the ASUS Live Update software to **Version 3.6.8 or higher**.
- End of Support Note: ASUS announced End-of-Support (EOS) for the Live Update client as of December 4, 2025, with the last version being 3.6.15.
### Workarounds
- CISA has urged Federal Civilian Executive Branch (FCEB) agencies to **discontinue use of the ASUS Live Update tool entirely by January 7, 2026.**
## Detection
- Detection methods are not detailed in the provided text, but analysts should assume historical activity related to the 2018/2019 ShadowHammer campaign, which involved targeting devices based on **hard-coded MAC addresses** present in the malicious payload.
- Focus analysis on system processes related to the Live Update client and any known Indicators of Compromise (IOCs) associated with past ASUS supply chain compromises.
## References
- Vendor Advisory (Historical context): [h t t p s : / / w w w . a s u s . c o m / n e w s / h q f g v u y z 6 u y a y j e 1 /]
- Vendor Security Page Update: [h t t p s : / / w w w . a s u s . c o m / u s / s u p p o r t / f a q / 1 0 1 8 7 2 7 /]
- CISA KEV Catalog Update: [h t t p s : / / w w w . c i s a . g o v / n e w s - e v e n t s / a l e r t s / 2 0 2 5 / 1 2 / 1 7 / c i s a - a d d s - t h r e e - k n o w n - e x p l o i t e d - v u l n e r a b i l i t i e s - c a t a l o g]
- CVE Entry: [h t t p s : / / w w w . c v e . o r g / C V E R e c o r d ? i d = C V E - 2 0 2 5 - 5 9 3 7 4]