CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation — What You Need to Know

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical security vulnerability affecting the ASUS Live Update utility to its Known Exploited Vulnerabilities (KEV) catalog — a list that includes flaws that are confirmed to be actively exploited in the wild. This designation is serious: it indicates that attackers have not only discovered the flaw but are already using it against systems still vulnerable. The Hacker News+1

The flaw — tracked as CVE-2025-59374 — is rated as critical with a CVSS score of 9.3+, meaning that it poses a very high risk if left unaddressed. At the heart of this issue is a supply chain compromise that introduced malicious code into the ASUS Live Update software itself. Given the software’s widespread use on ASUS laptops and desktops, many security professionals are urging immediate attention. マイナビニュース+1

---

What Is ASUS Live Update and Why It Matters

ASUS Live Update is a utility software developed by ASUS and widely pre-installed on their computers. Its purpose is to help users keep system components up-to-date — including BIOS, firmware, drivers, and utilities — by automatically checking for and installing updates. In theory, this makes system maintenance easier for users who might otherwise overlook critical patches.

However, the very mechanism designed to improve security became a vector for risk when attackers compromised the supply chain that delivered the software. Supply chain attacks are especially dangerous because they leverage trusted channels to distribute tampered files — meaning that users and systems are far more likely to accept the malicious components as legitimate. SecurityWeek

---

Understanding CVE-2025-59374: Embedded Malicious Code

The vulnerability added to the KEV catalog (CVE-2025-59374) stems from what’s been described as an “embedded malicious code vulnerability.” In essence, certain builds of ASUS Live Update were modified without authorization before being distributed. These modifications introduced executable code capable of performing unintended actions on affected devices.

Typically, malicious code distributed this way can open backdoors, execute unauthorized commands, or even install additional malware — all without the user’s knowledge. The issue affects systems that meet specific targeting conditions and installed the compromised Live Update versions. Rapid7

This particular flaw is tied to a historic but still relevant attack known as Operation ShadowHammer, a supply chain compromise that was first uncovered in 2018. In that incident, attackers — widely believed to be an advanced persistent threat (APT) group — breached ASUS update infrastructure and inserted a backdoor into the Live Update utility. The backdoor targeted a hard-coded list of device identifiers (such as MAC addresses) and was designed to activate only on select machines. SecurityWeek

Despite being identified years ago, the presence of this embedded malicious code remains a risk for systems that were never patched or updated properly. Because of that ongoing threat, CISA’s recent inclusion of this vulnerability in the KEV list is a clear signal that active exploitation still occurs and that mitigation is urgent. OpenText Cybersecurity Community

---

Why CISA’s KEV Addition Is Significant

CISA’s Known Exploited Vulnerabilities catalog serves an important purpose: it highlights vulnerabilities that are not just theoretical, but are being exploited by threat actors right now. When CISA adds a CVE to this list, it often triggers binding operational directives for U.S. federal agencies to take action by specific deadlines — typically patching or discontinuing use of the affected product. CVEFeed

In the case of CVE-2025-59374:

• Federal Civilian Executive Branch (FCEB) agencies have a compliance deadline to address or remove the vulnerable software.

• Private sector and individual users, while not bound by CISA directives, are strongly advised to follow similar remediation steps.

• The ongoing designation emphasizes that this isn’t just an old vulnerability in theory — it’s one actively used in some form by malicious actors. CVEFeed

While ASUS Live Update has officially reached end-of-support (EOS) as of late 2025, with the final version being 3.6.15, the lingering presence of older and unpatched versions still installed on devices poses a real risk to user security. マイナビニュース

---

Who Is Affected?

The vulnerability potentially affects any ASUS device that:

1. Had the Live Update client installed; and

2. Installed one of the compromised builds prior to the patch and end-of-support.

Although millions of users may have been exposed at one time, security researchers note that the original Operation ShadowHammer attack specifically targeted a small set of devices through hard-coded identifiers. That said, the risk is still relevant for general exploitation, especially on older systems that have not been updated to secure versions. SecurityWeek

Given that many ASUS devices still in use may never have received patches or may have been used offline for years, enterprise networks and home environments alike should consider the vulnerability a current operational risk — not just a historical footnote.

---

Mitigation and Remediation Steps

1. Update or Remove ASUS Live Update

If your system still uses ASUS Live Update, the first step is to identify the installed version:

• If it’s older than version 3.6.8, you should update it immediately to at least that version or higher.

• Given that Live Update is now EOS and may no longer receive security patches, many experts recommend uninstalling the utility entirely, especially if it’s not essential to system operations. Rapid7

2. Use Official ASUS Support Resources

Always download updates directly from ASUS’s official website to avoid tampered or counterfeit installers. Just because a file seems legitimate doesn’t mean it is — and supply chain risks underscore the importance of trust in software sources. SecurityWeek

3. Scan for Indicators of Compromise

Run comprehensive scans with reputable antivirus and endpoint detection tools. If malicious code was present in your version of Live Update, it may have triggered additional unauthorized actions.

4. Apply Network Defenses

Organizations should ensure that intrusion detection and prevention systems (IDS/IPS), endpoint security, and other monitoring tools are configured to alert on unusual activity associated with ASUS utilities or suspicious outbound connections.

5. Follow CISA and Vendor Advisories

If you’re part of a larger organization, especially one that falls under U.S. federal guidance, prioritizing patching and mitigation efforts per CISA’s directives is critical. Even for non-federal environments, aligning with these advisories improves overall security posture.

---

Lessons for the Broader Security Community

The ASUS Live Update incident is a stark reminder of the risks inherent in software supply chains. Modern systems rely on layers upon layers of code and processes that extend far beyond the operating system itself. When any link in that chain is compromised, even indirectly through trusted update mechanisms, the potential for damage rises sharply.

Security professionals emphasize the importance of:

• Zero Trust principles — assuming that even legitimate tools can be vectors for attack if not properly verified

• Regular patching and software inventory controls — knowing exactly what software is installed and whether it’s current

• Monitoring for anomalies — especially for tools that operate with elevated privileges or automatic update features

These practices are relevant not only for enterprise environments, but also for individual users who may overlook the importance of keeping all software — not just the operating system — up to date.

---

Conclusion

The addition of the ASUS Live Update vulnerability (CVE-2025-59374) to CISA’s Known Exploited Vulnerabilities catalog is a serious wake-up call. It highlights the ongoing risk posed by old supply chain-based backdoors and the need for organizations and users alike to treat software update utilities with the same caution as any external software.

Whether you’re managing a fleet of corporate devices or using a personal ASUS laptop at home, the steps are clear: identify vulnerable installations, update or remove compromised software, and enhance your defensive posture to guard against further exploitation. Proactive security measures — motivated by advisories like this — remain the best defense against increasingly sophisticated threats.