The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently flagged a critical vulnerability affecting ASUS Live Update, which is now listed in its Known Exploited Vulnerabilities (KEV) catalog following evidence of ongoing exploitation.
This vulnerability, identified as CVE-2025-59374, has a CVSS score of 9.3 and is categorized as an "embedded malicious code vulnerability." It was the result of unauthorized alterations introduced through a supply chain compromise, potentially allowing attackers to execute unintended actions on affected devices.
CISA’s report indicates that certain ASUS Live Update client versions were distributed with these modifications, which could lead to unintended device behaviors in specific circumstances. Only those devices that installed the compromised versions are at risk.
This issue relates to a supply chain attack first brought to light in March 2019. During that incident, an advanced persistent threat (APT) group infiltrated ASUS servers as part of a campaign termed Operation ShadowHammer, reportedly from June to November 2018. The attackers aimed to target a select group of users based on their MAC addresses, embedding malicious code within modified updates distributed to those systems.
ASUS confirmed that the malicious updates affected only a limited number of devices and noted that the company rectified the issue in version 3.6.8 of the Live Update software.
This latest revelation comes shortly after ASUS announced that the Live Update client reached its end of support on December 4, 2025, with the last version being 3.6.15. CISA has advised any Federal Civilian Executive Branch (FCEB) agencies still using the tool to discontinue it by January 7, 2026, in light of this critical vulnerability.
ASUS officials reiterated their commitment to software security, encouraging users to update to version 3.6.8 or later to mitigate associated security risks.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.