CISA Adds Critical ASUS Live Update Vulnerability to Known Exploited List
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a significant software vulnerability affecting ASUS Live Update to its Known Exploited Vulnerabilities (KEV) catalog. This inclusion, announced on December 18, 2025, stems from confirmed evidence that the flaw, CVE-2025-59374, is being actively exploited by malicious actors. The critical nature of this vulnerability underscores the ongoing risks associated with supply chain compromises in the software industry.
The vulnerability, which carries a severe CVSS score of 9.3, is categorized as an “embedded malicious code vulnerability.” This designation highlights how attackers exploited a breach in ASUS’s supply chain to introduce unauthorized modifications into the Live Update client. These altered versions then had the potential to execute unintended actions on targeted devices, underscoring a sophisticated method of attack that bypasses traditional software security measures.
Details of the ASUS Live Update Supply Chain Compromise
According to official descriptions, the compromised ASUS Live Update client was distributed with unauthorized modifications due to a successful supply chain attack. Only devices that met specific targeting conditions and had installed these compromised versions were affected, indicating a carefully orchestrated operation rather than a broad, indiscriminate breach. The description on CVE.org emphasizes that the attack was designed to affect a precise subset of users.
This event is intrinsically linked to a broader supply chain attack that first came to light in March 2019. At that time, ASUS disclosed that an advanced persistent threat (APT) group had breached some of its servers. This campaign, codenamed Operation ShadowHammer by cybersecurity firm Kaspersky, reportedly took place between June and November 2018. The attackers’ objective was to surgically target specific users, identified by their network adapters’ MAC addresses, embedding malicious code within legitimate software updates.
Kaspersky reported that the trojanized versions of ASUS software contained a hard-coded list of over 600 unique MAC addresses, indicating a highly targeted approach. ASUS itself acknowledged that a small number of devices were compromised by malicious code inserted through a sophisticated attack on their Live Update servers, aiming to target a very specific, small user group. The company stated that the issue was resolved in version 3.6.8 of the Live Update software, providing a crucial patch for affected users.
Implications and Actionable Advice for Federal Agencies
The CISA listing of CVE-2025-59374 as a known exploited vulnerability triggers mandatory security directives for U.S. federal agencies. This action requires agencies to identify and protect their systems against this threat. The vulnerability’s inclusion serves as a critical alert, prompting immediate attention to mitigate potential damage and prevent further exploitation.
The timing of CISA’s addition is significant, occurring shortly after ASUS formally announced the end-of-support (EOS) for the Live Update client. As of December 4, 2025, the software will no longer receive updates, with version 3.6.15 being the last. Consequently, CISA has issued a strong recommendation for Federal Civilian Executive Branch (FCEB) agencies still utilizing the tool to discontinue its use by January 7, 2026. This directive aims to eliminate the attack surface presented by unsupported software.
“ASUS is committed to software security and consistently provides real-time updates to help protect and enhance devices,” ASUS stated in a support page. The company reiterated that automatic, real-time software updates were available via the ASUS Live Update application and urged users to update to version 3.6.8 or higher to address the security concerns. However, with the impending end-of-support, reliance on this older software now poses an unacceptable risk to federal networks.
The Path Forward and Future Considerations
The directive from CISA to FCEB agencies marks a critical juncture in managing the residual risks from the ASUS Live Update vulnerability. The January 7, 2026, deadline is a clear call to action for these agencies to transition away from the vulnerable software. The primary next step will involve agencies confirming their migration from ASUS Live Update to alternative, supported solutions and eradicating any remaining instances of the software from their networks.
Beyond federal agencies, other organizations and individuals using ASUS devices are also advised to review their software versions and ensure they are updated to a patched version or have discontinued the use of the Live Update client altogether. The ongoing exploitation of this vulnerability, coupled with its end-of-support status, presents a persistent threat. Future considerations will likely focus on how organizations manage software lifecycle and supply chain risks, especially as vendors phase out older, potentially vulnerable tools.