CVE-2025-59374

CriticalCISA KEVActive Exploitation

Published: 17 December 2025

Published

17 December 2025

Modified

18 December 2025

KEV Added

17 December 2025

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.3475 97.0th percentile

Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Description

"UNSUPPORTED WHEN ASSIGNED" Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met…

these conditions and installed the compromised versions were affected. The Live Update client has already reached End-of-Support (EOS) in October 2021, and no currently supported devices or products are affected by this issue.

Mitigating Controls (NIST 800-53 r5)AI

SA-22 Unsupported System Components good match

prevent

Prohibits use of end-of-support system components like the ASUS Live Update client, directly preventing deployment of supply chain compromised EOS versions.

SR-11 Component Authenticity good match

prevent

Requires verification of component authenticity to block installation of tampered ASUS Live Update builds from supply chain compromises.

SI-3 Malicious Code Protection good match

preventdetect

Deploys malicious code protection mechanisms to prevent execution and detect embedded malicious code (CWE-506) in compromised client versions.

Security SummaryAI

CVE-2025-59374 involves a supply chain compromise in certain versions of the ASUS Live Update client, which were distributed with unauthorized modifications. These altered builds could cause devices meeting specific targeting conditions to perform unintended actions, classified under CWE-506 (Embedded Malicious Code). Only devices that satisfied these conditions and installed the compromised versions were affected. The Live Update client reached End-of-Support in October 2021, and no currently supported ASUS devices or products are impacted.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), enabling remote exploitation over the network with low complexity, no privileges, and no user interaction. Attackers leveraging the supply chain compromise could target qualifying devices through the modified client, achieving high impacts on confidentiality, integrity, and availability by triggering unintended actions on those systems.

ASUS has issued details via their news advisory at https://www.asus.com/news/hqfgvuyz6uyayje1/, and the issue appears in the CISA Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59374. Given the end-of-support status, no patches are available; mitigation requires verifying that compromised versions are not installed on any legacy devices meeting the targeting conditions.

Details

CWE(s): CWE-506
KEV Date Added: 17 December 2025

Affected Products

asus

live update

≤ 3.6.8

MITRE ATT&CK Enterprise TechniquesAI

T1195.002 Compromise Software Supply Chain Initial Access

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.

attack.mitre.org →

Why these techniques?

CVE describes a supply chain compromise via unauthorized modifications to ASUS Live Update client builds (CWE-506 Embedded Malicious Code), directly enabling T1195.002: Compromise Software Supply Chain.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.asus.com/news/hqfgvuyz6uyayje1/
Vendor Advisory · 54bf65a7-a193-42d2-b1ba-8e150d3c35e1
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59374
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0