CISA reports active exploitation of ASUS Live Update supply chain vulnerability
Take action: If you have ASUS Live Update utility installed, immediately update to version 3.6.8 or higher, or better yet, uninstall it completely since it's now discontinued. Given the previous supply chain compromise and end-of-support status, remove the utility and download updates directly from ASUS's official website.
Learn More
CISA is reporting active exploitation in the now-discontinued ASUS Live Update utility.
The vulnerability is tracked as CVE-2025-59374 (CVSS score 9.3), an embedded malicious code vulnerability that was introduced through a supply chain compromise. The backdoor was installed into specific versions of the ASUS Live Update client, which came pre-installed on most ASUS devices and was used for automatically updating BIOS, UEFI, drivers, and other components.
The compromised versions could allow attackers to gain unauthorized access, execute arbitrary code, deploy malware, or further compromise victim environments.
The warning references Operation ShadowHammer, a supply chain attack mounted between June and November 2018 by Chinese state-sponsored hackers. The hackers infiltrated ASUS's software distribution infrastructure and injected a backdoor into the Live Update utility. The malicious code contained hardcoded lists of over 600 specific MAC addresses, allowing the attackers to surgically target selected devices and remain undetected on systems that did not match the targeting criteria.
While over 1 million ASUS users worldwide potentially downloaded the backdoored utility during the compromise period. Once the backdoor was running on a victim's device, it verified the system's MAC address against the hardcoded table embedded in the malicious code. If the MAC address matched one of the entries, the malware would download the next stage of malicious code from the attackers' command and control servers. Otherwise, the updater had no network activity, so the attack was not discovered for an extended period despite affecting potentially millions of systems. The attack was uncovered in January 2019 by Kaspersky Lab researchers, who immediately notified ASUS of their findings and provided detailed indicators of compromise and detection rules.
ASUS created an online security diagnostic tool to check for affected systems and provided direct customer service assistance to reach out to affected users. The company emphasized that only the notebook version of Live Update was affected.
Following CISA's addition of CVE-2025-59374 to the KEV catalog on December 18, 2025, Federal Civilian Executive Branch (FCEB) agencies have been given a deadline of January 7, 2026, to identify vulnerable products in their environments and discontinue use of the affected utility per Binding Operational Directive (BOD) 22-01.
ASUS formally announced on December 4, 2025, that the Live Update client has reached end-of-support status, with version 3.6.15 being the last available version, but the company continues to provide software updates through the utility and urges users to update to version 3.6.8 or higher.
