Tuesday December 30, 2025

CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

Advisory ID: NCC-CSIRT-2025-028

Summary: 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical supply-chain vulnerability, CVE-2025-59374, affecting the ASUS Live Update client to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation in the wild. The flaw stems from malicious code inserted into official ASUS Live Update builds via a supply-chain compromise, enabling attackers to trigger unintended actions on targeted systems. This advisory highlights the risk to organizations that still deploy or rely on Asus Live Update, and urges immediate mitigation to limit exposure.

Damage/Probability: Critical/High

Product(s): 

ASUS Live Update Client (ASUS software utility for updating BIOS, drivers, and firmware on ASUS systems)

Version(s): 

Affected ASUS Live Update binaries distributed with unauthorized modifications through a supply-chain compromise; versions installed prior to update/fix (malicious build conditions apply).

Platform(s): 

ASUS laptops and PCs where the compromised ASUS Live Update client was installed; affected systems that meet specific targeting conditions, where malicious code can execute unintended actions.

Description: 

The vulnerability CVE-2025-59374, now listed in CISA’s KEV Catalog, refers to an “embedded malicious code vulnerability” in certain ASUS Live Update client builds. These malicious builds were distributed via a supply chain compromise first publicly documented as part of the Operation ShadowHammer campaign (2018–2019), where threat actors infiltrated ASUS infrastructure and embedded unauthorized code in legitimate update packages. The compromised clients contained a hard-coded list of target identifiers (e.g., specific MAC addresses) so only selected systems would execute malicious logic.

Although the original campaign occurred years earlier, CISA’s classification reflects confirmation that systems with the tainted Live Update client still exist in operational environments, are reachable, and are being actively exploited by threat actors. The compromise allows execution of unintended actions under conditions defined by the malicious code, potentially permitting remote attackers or unauthorized processes to affect system state, exfiltrate data, or facilitate additional malicious payloads when target conditions are met. Because the affected Live Update client has reached end-of-support as of December 4, 2025, no future security patches will be produced for this component.

Threat Types: 

  • Supply-chain compromise
  • Unauthorized modifications introduced into ASUS Live Update client distributions
  • Remote code execution (RCE) through malicious update logic
  • Targeted exploitation, malicious code triggers only on devices meeting specific criteria (e.g., specific MAC addresses)
  • Persistence and lateral movement via tampered system update mechanisms

Impacts: 

  • Malicious code execution: Affected systems may run hidden malicious code, enabling remote compromise and persistence.
  • Supply-chain compromise risk: Abuse of a trusted update mechanism allows attackers to bypass normal security controls.
  • Targeted compromise: The malware was selectively triggered on specific systems, indicating possible pre-existing compromises.
  • Lateral movement risk: Infected endpoints could be used as entry points for broader network attacks and data theft.

Solutions:  

NCC-CSIRT recommends the following mitigation steps:

  • Uninstall ASUS Live Update from all systems and discontinue its use (end-of-support).
  • Scan affected systems to ensure no residual malicious components remain.
  • Replace with secure, supported update mechanisms for BIOS, drivers, and firmware.
  • Monitor endpoints and network activity for suspicious behavior linked to ASUS Live Update.
  • Enforce secure software update and supply-chain policies, including trusted sources and application allow-listing.

References: