CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

Briefly

"The vulnerability, tracked as CVE-2025-59374 (CVSS score: 9.3), has been described as an "embedded malicious code vulnerability" introduced by means of a supply chain compromise that could allow attackers to perform unintended actions. "Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise," according to a description of the flaw published in CVE.org. "The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected.""

"It's worth noting that the vulnerability refers to the supply chain attack that came to light in March 2019, when ASUS acknowledged that an advanced persistent threat (APT) group managed to breach some of its servers as part of a campaign codenamed Operation ShadowHammer by Kaspersky. The activity is said to have run between June and November 2018."

""A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group," ASUS noted at the time. The issue was fixed in version 3.6.8 of the Live Update software."