Seven years after the notorious ‘Operation ShadowHammer’ supply chain attack, the Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning: the backdoor within the ASUS Live Update utility is still exploitable. This persistent vulnerability underscores the long-term risks associated with compromised software supply chains and the lasting impact of sophisticated cyberattacks. The initial Operation ShadowHammer, exposed in 2019, involved malicious actors injecting malware into signed ASUS software updates. This allowed them to distribute malware to a massive user base, estimated to be over a million devices globally. The attackers specifically targeted a small number of machines with unique identifiers, demonstrating a highly sophisticated and targeted approach within a broad compromise. The backdoor essentially provided a hidden mechanism for attackers to maintain access and deliver further payloads to affected systems. The warning from CISA highlights that even after years, the underlying weaknesses that facilitated this attack have not been fully eradicated or sufficiently mitigated across all instances of the software. This situation presents an ongoing risk to users who may still be operating older, unpatched versions of the ASUS Live Update utility. Organizations and individual users often rely on software update mechanisms as a secure way to maintain system integrity and patch vulnerabilities. When these trusted channels are compromised, as was the case with ASUS Live Update, it erodes user trust and creates a significant challenge for cybersecurity. The fact that CISA is re-issuing a warning suggests that the threat landscape continues to evolve, and lingering vulnerabilities can be re-exploited or discovered anew by opportunistic threat actors. For users of affected ASUS devices, CISA’s advisory strongly recommends taking immediate action. This includes verifying the version of the Live Update utility installed on their systems. If an outdated or vulnerable version is present, users are advised to either uninstall the utility completely if it is not essential for their operations or ensure it is updated to the latest, secure version provided by ASUS. This proactive approach is crucial for mitigating the risk of potential exploitation. Furthermore, this incident serves as a stark reminder for all organizations about the importance of rigorous security practices throughout their software development lifecycle, including supply chain security. Regular security audits, robust code signing procedures, and continuous monitoring for anomalies in software distribution channels are essential to prevent similar compromises. End-users must also cultivate a habit of verifying software legitimacy and ensuring all applications are kept up-to-date from official, trusted sources. The enduring threat from the ASUS Live Update backdoor is a clear illustration of how cyber risks can persist for extended periods, demanding continuous vigilance from both vendors and users to maintain a secure digital environment. Its continued exploitability seven years later underscores the critical need for comprehensive cybersecurity hygiene and rapid remediation of identified vulnerabilities, even those with a long history.

Source: https://www.malwarebytes.com/blog/news/2025/12/cisa-warns-asus-live-update-backdoor-is-still-exploitable-seven-years-on