CVE-2025-59374

What is ASUS Live Update?

ASUS Live Update is a software utility pre-installed on ASUS laptops and desktop computers that automatically checks for and installs driver, BIOS, and software updates. It runs as a background service with elevated system privileges and regularly communicates with ASUS update servers over HTTPS. Because it runs with system-level access, a backdoored version can silently install additional malware, exfiltrate data, or establish persistent access without any user interaction. Supply chain attacks against software update mechanisms are particularly dangerous because victims have no reason to distrust updates from their device manufacturer.

Overview

CVE-2025-59374 formally documents the Operation ShadowHammer supply chain compromise, in which the Chinese state-sponsored group APT41 (Brass Typhoon, Wicked Panda, Barium) breached ASUS infrastructure in 2018 and injected a backdoor into legitimately-signed ASUS Live Update binaries. The backdoored builds were distributed to hundreds of thousands of ASUS users through official ASUS update channels. The malicious code contained a hardcoded list of over 600 MAC addresses targeting specific high-value machines; devices not matching the list were left dormant. ASUS Live Update reached end-of-support in December 2025, and CISA assigned this CVE and added it to the KEV catalog to flag that systems still running old versions may harbor compromised software.

Affected Versions

CISA's guidance: do not use ASUS Live Update in any version. Remove it from all systems.

Technical Details

The vulnerability (CWE-506: Embedded Malicious Code) was introduced via a supply chain compromise. APT41 gained unauthorized access to ASUS's software build or distribution infrastructure and injected a backdoor into ASUS Live Update binaries. The malicious builds were signed with a valid, legitimate ASUS digital certificate — making them cryptographically indistinguishable from authentic updates. Windows's code signing verification would pass for these binaries.

The backdoor logic checked the MAC address of the host's primary network adapter against an encrypted list of over 600 specific MAC addresses. If the MAC address matched a target, the backdoor made a second-stage network connection to attacker-controlled infrastructure to download and execute additional malware. Machines not on the target list were infected with the backdoored binary but left dormant — a technique designed to minimize forensic detection by limiting active malicious behavior to only pre-selected targets.

Discovery

Kaspersky Lab discovered Operation ShadowHammer in January 2019 and publicly disclosed it on 25 March 2019. ASUS acknowledged the compromise and issued a clean version (3.6.8) the same day.

Exploitation Context

APT41 (Brass Typhoon, Wicked Panda, Barium) — a Chinese state-sponsored threat actor with dual espionage and financial crime mandates — conducted Operation ShadowHammer in 2018, targeting specific high-value individuals with surgical precision. The 600+ MAC addresses suggest pre-identified targets of intelligence interest. Kaspersky estimated that backdoored ASUS Live Update binaries were distributed to over one million devices globally, with only a small fraction actively targeted. CISA assigned CVE-2025-59374 in December 2025 as a retrospective action to formally document this known, confirmed exploitation event and prompt removal of the EoL software from federal networks. The KEV deadline of 7 January 2026 required all FCEB agencies to remove ASUS Live Update.

Remediation

1. Remove ASUS Live Update from all systems — the software is end-of-life and CISA's guidance is to discontinue use entirely. Uninstall via Windows Settings → Apps or use a managed removal script.
2. For systems running pre-3.6.8 versions: these systems may have been compromised in 2018–2019. Consider them potentially compromised and conduct forensic investigation if these are high-value assets.
3. Use Kaspersky's ShadowHammer checker tool (available at securelist.com) to verify whether a system's MAC address appears in the list of targeted addresses.
4. Replace ASUS Live Update's function with enterprise driver/BIOS management tooling (e.g., vendor-specific management tools, SCCM/Intune driver management, BIOS update policies via MDM).
5. Remove from enterprise asset inventory — if deploying ASUS hardware, ensure new systems' Live Update is uninstalled as part of the standard OS deployment process.