The US cybersecurity agency CISA on Wednesday warned that hackers have been exploiting a critical vulnerability in the now-discontinued Asus Live Update utility.
The exploited flaw is tracked as CVE-2025-59374 (CVSS score of 9.3) and is described as “an embedded malicious code vulnerability”.
CISA notes that the backdoor was introduced in a supply chain compromise, and that the affected devices could be abused to perform unintended actions, if certain conditions were met.
The warning refers to Operation ShadowHammer, a sophisticated supply chain attack mounted in 2018 by Chinese state-sponsored hackers. The attack was linked to the ShadowPad backdoor and attributed to APT41 (also tracked as Brass Typhoon, Wicked Panda, and Barium).
As part of the attack, the hacking group injected a backdoor into Asus Live Update, a utility that came pre-installed on most Asus devices and which was used for the automatic updating of BIOS, UEFI, drivers, and other components.
While over 1 million Asus users might have downloaded the backdoored utility, the hackers were reportedly interested in only around 600 specific devices, based on hashed MAC addresses hardcoded in various versions of the tool.
The attack was uncovered in January 2019 and Asus released a patch by March the same year.
Asus earlier this month advised that support for the Asus Live Update application has been discontinued. The last Asus Live Update version is 3.6.15.
However, the company said it would continue to provide software updates through the utility, urging users to update to version 3.6.8 or higher to resolve security defects.
On Wednesday, CISA added CVE-2025-59374 to its Known Exploited Vulnerabilities (KEV) catalog, warning of the Asus Live Update backdoor and urging federal agencies to stop using the utility.
Per Binding Operational Directive (BOD) 22-01, federal agencies have three weeks to identify vulnerable products in their environments and address the issue.
Related: SonicWall Patches Exploited SMA 1000 Zero-Day
Related: China-Linked Hackers Exploiting Zero-Day in Cisco Security Gear
Related: In-the-Wild Exploitation of Fresh Fortinet Flaws Begins
Related: Google Sees 5 Chinese Groups Exploiting React2Shell for Malware Delivery
