The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged CVE-2025-59374 — a critical vulnerability in ASUS Live Update — as part of its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation.
Vulnerability Details
- CVE: CVE-2025-59374
- CVSS Score: 9.3 (Critical)
- Type: Embedded malicious code via supply chain compromise.
- Impact: Modified builds could trigger unintended actions on targeted devices.
- Targeting method: Devices identified by MAC addresses (600+ hard-coded targets).
Background: Operation ShadowHammer
- Timeline: June–Nov 2018 (disclosed March 2019).
- Attackers: Advanced Persistent Threat (APT) group breached ASUS servers.
- Technique: Trojanized Live Update builds distributed to users.
- Goal: “Surgically target” specific victims using MAC address filtering.
- Fix: Issue resolved in Live Update v3.6.8.
Current Context
- End-of-support (EOS): ASUS Live Update officially ended support on Dec 4, 2025 (last version 3.6.15).
- CISA directive: Federal Civilian Executive Branch (FCEB) agencies must discontinue use by Jan 7, 2026.
- ASUS statement: Urges users to update to v3.6.8 or higher to mitigate risks.
Recommended Actions
- For agencies & enterprises:
- Immediately remove ASUS Live Update from systems.
- Audit for compromised versions and check MAC address targeting lists.
- Replace with secure update mechanisms.
- For individual users:
- Ensure Live Update is v3.6.8 or later (though EOS means migration is best).
- Apply latest ASUS firmware/software updates manually from official sources.
- Monitor for suspicious activity if Live Update was previously installed.
Takeaway
This case underscores the long tail of supply chain compromises: even years after Operation ShadowHammer, ASUS Live Update remains a risk vector. With EOS announced, discontinuation and migration are the safest paths forward.
Leave a Reply