CVE-2025-59374: When a Trusted ASUS Update Turned Into a Silent Backdoor

Aegiron 10 mins0

Vulnerability Name: Embedded Malicious Code in ASUS Live Update
CVE ID: CVE-2025-59374
CVSS v4.0 Score: 9.3 – Critical
CWE: CWE-506 (Embedded Malicious Code)
Vulnerability Type: Supply Chain Compromise
Exploitability: Confirmed active exploitation in the wild
Known Ransomware Use: Unknown
Affected Component: ASUS Live Update Utility
Status: End-of-Support Software

Executive Summary

CVE-2025-59374 is a critical supply chain vulnerability affecting ASUS Live Update, a utility preinstalled on many ASUS systems to deliver driver and firmware updates.

Attackers compromised ASUS’s official update infrastructure and distributed maliciously modified update packages that were digitally signed with legitimate ASUS certificates. Because of this, systems trusted and executed the malware without raising security warnings.

This attack is known as Operation ShadowHammer and is considered one of the most serious real-world supply chain attacks because it abused a trusted vendor update mechanism rather than exploiting a bug on individual systems.

CISA has confirmed that exploitation is active in the wild, and the vulnerability was added to the Known Exploited Vulnerabilities (KEV) Catalog in December 2025.

CISA Status and Mandated Actions

CISA KEV Catalog

  • KEV Entry Date: December 17, 2025
  • Catalog: Known Exploited Vulnerabilities (KEV)

Official CISA KEV Catalog Link:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Binding Operational Directive

  • Directive: BOD 22-01
  • Applies To: Federal Civilian Executive Branch (FCEB) agencies

Mandatory Deadline

  • Remediation Deadline: January 7, 2026

Required Action

  • Discontinue use of ASUS Live Update, or
  • Apply vendor mitigations if still applicable

CISA explicitly warns that legacy software still running ASUS Live Update represents an unacceptable operational risk.

Affected Versions

Confirmed Vulnerable Versions

  • ASUS Live Update 3.5.9
  • ASUS Live Update 3.6.0
  • ASUS Live Update 3.6.2
  • ASUS Live Update 3.6.5

Safe Version

  • ASUS Live Update 3.6.8 or higher
  • Release Date: March 26, 2019

Exploitability Details (How This Is Exploited)

Attack Vector: Network (Remote)

  • The malware was delivered over the internet via official ASUS update servers
  • No physical access, VPN access, or local network access was required

Privileges Required: None

  • Victims did not need administrator rights
  • The ASUS Live Update service already ran with sufficient privileges
  • Malware executed automatically within that trusted context

User Interaction: None

  • No phishing emails
  • No malicious links
  • No fake installers

Victims were compromised simply by allowing routine update checks.

Attack Complexity: Low (Victim Side)

From the victim’s perspective, exploitation was effortless:

  1. ASUS Live Update checks for updates (normal behavior)
  2. Trojanized update downloads from ASUS servers
  3. Installer runs automatically
  4. Backdoor is installed silently

Supply Chain Compromise Explained

Unlike typical vulnerabilities, this was not a coding bug.

The attackers:

  • Gained access to ASUS’s software build and distribution environment
  • Inserted malicious code into legitimate update packages
  • Signed those packages using real ASUS digital certificates
  • Hosted them on official ASUS infrastructure

Because of this:

  • Antivirus tools trusted the files
  • Users saw no warnings
  • Security controls were bypassed by design

Targeting Mechanism (Why Not Everyone Was Fully Infected)

Although the malicious update was widely distributed, the attackers used highly selective targeting:

  • Over 600 MAC addresses were hardcoded into the malware
  • MAC addresses were stored as MD5 hashes to hide targets
  • Only systems matching those MAC addresses:
    • Contacted the command-and-control (C2) server
    • Downloaded a second-stage payload

Non-targeted systems still:

  • Installed the backdoored update
  • Created a marker file
  • Remained dormant

This design reduced detection while maintaining mass distribution.

Indicators of Compromise (IOCs)

Command & Control Infrastructure

Domain:

asushotfix[.]com

IP Address:

141.105.71[.]116

Malicious File Hashes

Trojanized Package: Liveupdate_Test_VER365.zip

  • MD5:
aa15eb28292321b586c27d8401703494
  • SHA-256:
bebb16193e4b80f4bc053e4fa818aa4e2832885392469cd5b8ace5cec7e4ca19

Malicious Distribution URLs (Hosted on ASUS Infrastructure)

hxxp://liveupdate01.asus[.]com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER365.zip
hxxps://liveupdate01s.asus[.]com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER362.zip
hxxps://liveupdate01s.asus[.]com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER360.zip
hxxps://liveupdate01s.asus[.]com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER359.zip

Compromised Digital Signatures

  • Organization: ASUSTeK Computer Inc.
  • Certificate Serial Number:
05e6a0be5ac359c7ff11f4b367ab20fc

These certificates were valid and not immediately revoked, enabling prolonged abuse.

File System Indicator

Marker File:

.idx.ini
  • Location: User home directory
  • Meaning: System received the malicious update but was not a targeted MAC address

How to Test If a System Is Vulnerable or Previously Compromised

1. Version Check

  • Identify installed ASUS Live Update version
  • Anything below 3.6.8 is vulnerable

2. Hash Scanning

  • Scan systems for the listed SHA-256 and MD5 hashes

3. File System Check

  • Look for .idx.ini files in user directories

4. Network Monitoring

  • Monitor or block connections to:
    • asushotfix[.]com
    • 141.105.71[.]116

5. Certificate Analysis

  • Flag executables signed with certificate serial: 05e6a0be5ac359c7ff11f4b367ab20fc

MAC Address Target Verification Tool

ASUS users can verify whether their device was specifically targeted using the official ShadowHammer checker:

Official ASUS Advisory and Patch Information

ASUS Security Advisory Portal

https://www.asus.com/security-advisory

ASUS Live Update Support FAQ (ShadowHammer)

https://www.asus.com/in/support/faq/1018727

Official Patch Details

Patched Version

  • ASUS Live Update 3.6.8 or later

Security Improvements Introduced

  • Multiple integrity verification mechanisms
  • End-to-end encryption enhancements
  • Hardened update delivery architecture
  • Protection against update tampering

End-of-Support Status (Critical)

  • October 2021: ASUS Live Update declared EOS (per CVE data)
  • December 4, 2025: Final acknowledgment by CISA (last known version 3.6.15)

Important:
ASUS Live Update is no longer supported. No currently supported ASUS products rely on it.

Best Practice:
-> Complete removal is recommended over patching, especially for legacy systems.

Final Takeaway

CVE-2025-59374 represents a complete breakdown of software trust.
Because attackers used legitimate ASUS infrastructure and certificates, traditional security defenses were bypassed by design.

Organizations—especially those under CISA BOD 22-01—must treat any presence of ASUS Live Update as a critical operational incident, not a routine vulnerability.

Immediate inventory, isolation, and removal are strongly advised, particularly for legacy or unmanaged systems.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.