Dec 18, 2025Ravie LakshmananVulnerability / Software program Safety
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Wednesday added a crucial flaw impacting ASUS Dwell Replace to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
The vulnerability, tracked as CVE-2025-59374 (CVSS rating: 9.3), has been described as an “embedded malicious code vulnerability” launched via a provide chain compromise that might permit attackers to carry out unintended actions.
“Sure variations of the ASUS Dwell Replace shopper have been distributed with unauthorized modifications launched via a provide chain compromise,” in accordance with an outline of the flaw revealed in CVE.org. “The modified builds may trigger units assembly particular concentrating on circumstances to carry out unintended actions. Solely units that met these circumstances and put in the compromised variations have been affected.”
It is price noting that the vulnerability refers back to the provide chain assault that got here to gentle in March 2019, when ASUS acknowledged that a sophisticated persistent risk (APT) group managed to breach a few of its servers as a part of a marketing campaign codenamed Operation ShadowHammer by Kaspersky. The exercise is alleged to have run between June and November 2018.
The Russian cybersecurity firm mentioned the purpose of the assaults was to “surgically goal” an unknown pool of customers whose machines have been recognized by their community adapters’ MAC addresses. The trojanized variations of the artifacts got here embedded with a hard-coded checklist of greater than 600 distinctive MAC addresses.
“A small variety of units have been implanted with malicious code via a classy assault on our Dwell Replace servers in an try to focus on a really small and particular person group,” ASUS famous on the time. The difficulty was fastened in model 3.6.8 of the Dwell Replace software program.
The event comes a couple of weeks after ASUS formally introduced that the Dwell Replace shopper has reached end-of-support (EOS) as of December 4, 2025. The final model is 3.6.15. Consequently, CISA has urged Federal Civilian Govt Department (FCEB) businesses nonetheless counting on the device to discontinue its use by January 7, 2026.
“ASUS is dedicated to software program safety and constantly offers real-time updates to assist shield and improve units,” the corporate mentioned in a assist web page. “Automated, real-time software program updates can be found by way of the ASUS Dwell Replace software. Please replace the ASUS Dwell Replace to V3.6.8 or increased model to resolve safety considerations.”
