13.05.2023
4 min
1816
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned about the active exploitation of a critical vulnerability in Asus Live Update, stemming from a large-scale supply chain attack. The flaw allows malicious code execution and is linked to the notorious ShadowHammer operation attributed to China-linked APT groups.
The vulnerability, tracked as CVE-2025-59374 with a CVSS score of 9.3, is described as an “embedded malicious code backdoor.” It was implanted directly into Asus Live Update, a utility previously preinstalled on most Asus laptops and desktops and used to automatically update BIOS, UEFI, drivers, and other system components.
According to CISA, affected systems could be leveraged to perform unpredictable actions under specific conditions. While more than one million users may have installed the compromised utility, the attackers reportedly targeted only around 600 specific devices, identified through hashed MAC addresses hardcoded into various versions of the software.
The vulnerability is linked to the ShadowHammer operation uncovered in 2019. The campaign was associated with the ShadowPad backdoor and attributed to APT41, also known as Brass Typhoon, Wicked Panda, or Barium. It is considered one of the most sophisticated supply chain attacks, as the malicious updates were delivered using legitimate digital certificates.
Asus has since discontinued Live Update, with version 3.6.15 being the last release, and advised users to update to version 3.6.8 or later. CISA added CVE-2025-59374 to its Known Exploited Vulnerabilities (KEV) catalog and ordered US federal agencies to stop using the utility within three weeks under directive BOD 22-01.
The Asus Live Update case highlights the persistent danger of supply chain attacks. Even trusted, vendor-signed software can become a stealthy access vector, particularly when nation-state APT groups with significant resources are involved.
