The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw affecting the ASUS Live Update client to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The issue is tracked as CVE-2025-59374 and carries a CVSS score of 9.3.
The CVE record describes the problem as an embedded malicious code vulnerability introduced through a supply chain compromise that could allow attackers to cause affected systems to perform unintended actions. The record says only devices that met specific targeting conditions and installed the compromised builds were affected.
The flaw traces back to a supply chain incident first disclosed in March 2019 when vendor statements and industry reporting described a campaign later called Operation ShadowHammer. Vendor notices at the time said trojanized Live Update builds contained a hard-coded list of more than 600 MAC addresses and that the activity ran between June and November 2018; ASUS published a notice acknowledging the incident and its impact on a small number of devices.
ASUS has said the vulnerability was addressed in earlier patches and recommends updating Live Update to version 3.6.8 or later to resolve security concerns; a company support page outlines those recommendations. The vendor also recently announced the Live Update client reached end-of-support as of Dec. 4, 2025, with the last release listed as 3.6.15. CISA has urged Federal Civilian Executive Branch agencies still using the tool to discontinue its use by Jan. 7, 2026.
The CISA alert that added the flaw to the KEV catalog is publicly available.