The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Wednesday added a crucial flaw impacting ASUS Stay Replace to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
The vulnerability, tracked as CVE-2025-59374 (CVSS rating: 9.3), has been described as an “embedded malicious code vulnerability” launched via a provide chain compromise that would permit attackers to carry out unintended actions.
“Sure variations of the ASUS Stay Replace shopper have been distributed with unauthorized modifications launched by means of a provide chain compromise,” in response to an outline of the flaw revealed in CVE.org. “The modified builds may trigger units assembly particular focusing on circumstances to carry out unintended actions. Solely units that met these circumstances and put in the compromised variations have been affected.”
It is price noting that the vulnerability refers back to the provide chain assault that got here to gentle in March 2019, when ASUS acknowledged that a complicated persistent menace (APT) group managed to breach a few of its servers as a part of a marketing campaign codenamed Operation ShadowHammer by Kaspersky. The exercise is claimed to have run between June and November 2018.
The Russian cybersecurity firm stated the objective of the assaults was to “surgically goal” an unknown pool of customers whose machines have been recognized by their community adapters’ MAC addresses. The trojanized variations of the artifacts got here embedded with a hard-coded record of greater than 600 distinctive MAC addresses.
“A small variety of units have been implanted with malicious code by means of a classy assault on our Stay Replace servers in an try to focus on a really small and particular consumer group,” ASUS famous on the time. The problem was fastened in model 3.6.8 of the Stay Replace software program.
The event comes a number of weeks after ASUS formally introduced that the Stay Replace shopper has reached end-of-support (EOS) as of December 4, 2025. The final model is 3.6.15. Consequently, CISA has urged Federal Civilian Govt Department (FCEB) companies nonetheless counting on the device to discontinue its use by January 7, 2026.
“ASUS is dedicated to software program security and constantly supplies real-time updates to assist defend and improve units,” the corporate stated in a assist web page. “Computerized, real-time software program updates can be found by way of the ASUS Stay Replace software. Please replace the ASUS Stay Replace to V3.6.8 or increased model to resolve security issues.”
