The US cybersecurity company CISA on Wednesday warned that hackers have been exploiting a vital vulnerability within the now-discontinued Asus Dwell Replace utility.
The exploited flaw is tracked as CVE-2025-59374 (CVSS rating of 9.3) and is described as “an embedded malicious code vulnerability”.
CISA notes that the backdoor was launched in a provide chain compromise, and that the affected gadgets may very well be abused to carry out unintended actions, if sure situations have been met.
The warning refers to Operation ShadowHammer, a complicated provide chain assault mounted in 2018 by Chinese language state-sponsored hackers. The assault was linked to the ShadowPad backdoor and attributed to APT41 (additionally tracked as Brass Hurricane, Depraved Panda, and Barium).
As a part of the assault, the hacking group injected a backdoor into Asus Dwell Replace, a utility that got here pre-installed on most Asus gadgets and which was used for the automated updating of BIOS, UEFI, drivers, and different elements.
Whereas over 1 million Asus customers may need downloaded the backdoored utility, the hackers have been reportedly all for solely round 600 particular gadgets, based mostly on hashed MAC addresses hardcoded in varied variations of the instrument.
The assault was uncovered in January 2019 and Asus launched a patch by March the identical 12 months.
Asus earlier this month suggested that help for the Asus Dwell Replace software has been discontinued. The final Asus Dwell Replace model is 3.6.15.Commercial. Scroll to proceed studying.
Nonetheless, the corporate mentioned it might proceed to offer software program updates by way of the utility, urging customers to replace to model 3.6.8 or increased to resolve safety defects.
On Wednesday, CISA added CVE-2025-59374 to its Identified Exploited Vulnerabilities (KEV) catalog, warning of the Asus Dwell Replace backdoor and urging federal companies to cease utilizing the utility.
Per Binding Operational Directive (BOD) 22-01, federal companies have three weeks to determine susceptible merchandise of their environments and deal with the problem.
Associated: SonicWall Patches Exploited SMA 1000 Zero-Day
Associated: China-Linked Hackers Exploiting Zero-Day in Cisco Safety Gear
Associated: In-the-Wild Exploitation of Contemporary Fortinet Flaws Begins
Associated: Google Sees 5 Chinese language Teams Exploiting React2Shell for Malware Supply
