CISA has added a new ASUS vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling urgent risk for affected users and organizations.
The flaw, tracked as CVE-2025-59374, affects ASUS Live Update, a utility commonly used to deliver firmware and software updates to ASUS devices.
According to the advisory, specific ASUS Live Update clients were distributed with embedded malicious code after attackers introduced unauthorized modifications through a supply chain compromise.
These modified builds can cause devices that meet specific targeting conditions to perform unintended actions.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-59374 |
| Affected Product | ASUS Live Update |
| Vulnerability Type | Embedded Malicious Code |
| Related CWE | CWE-506 |
| Attack Vector | Supply Chain Compromise |
| Impact | Unintended device actions, potential malware deployment |
| Product Status | End-of-Life (EoL) / End-of-Service (EoS) |
Potentially allowing attackers to gain control, deploy malware, or further compromise victim environments.
The exact targeting logic has not been publicly detailed. However, the presence of tailored conditions suggests a focused and potentially advanced campaign.
CISA notes that the impacted product may already be end-of-life (EoL) or end-of-service (EoS). This increases risk because such products often no longer receive security updates.
As a result, the agency advises users and organizations to discontinue use of the product if effective mitigations are not available.
The vulnerability is associated with CWE-506 (Embedded Malicious Code), a weakness category that covers scenarios where malicious content is inserted into otherwise legitimate software.
This kind of supply chain compromise is hazardous because it abuses trust in vendor update mechanisms and can scale quickly across many systems.
It is currently unknown whether CVE-2025-59374 is being used in ransomware campaigns. Its inclusion in the KEV catalog means active exploitation has been observed in the wild.
CISA requires U.S. federal civilian agencies to apply vendor mitigations or discontinue use by January 7, 2026, and strongly urges all other organizations to follow the same guidance.
Security teams should immediately review their environments for affected ASUS Live Update deployments and apply any available vendor fixes. When mitigations are not feasible, remove or replace affected software as quickly as possible.
AI-Powered ISO 27001, SOC 2, NIST, NIS 2, and GDPR Compliance Checklist => Start for Free
