CVE-2025-59374
published 2025-12-17CVE-2025-59374: "UNSUPPORTED WHEN ASSIGNED" Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-01-07
Exploited in the wild
EPSS
1.08%
61.0th percentile
"UNSUPPORTED WHEN ASSIGNED" Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected. The Live Update client has already reached End-of-Support (EOS) in October 2021, and no currently supported devices or products are affected by this issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| asus | live_update | < 3.6.8 | 3.6.8 |
| asus | live_update | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →This CVE documents the 2018-2019 'ShadowHammer' supply-chain attack in which maliciously modified ASUS Live Update binaries were selectively delivered to a small number of targeted systems — no new IOCs or signatures are present in the source material. ↗
- ·The CVE was retrospectively assigned to a historical (2018-2019) supply-chain compromise of ASUS Live Update; the product reached End-of-Support and no currently supported devices are affected. CISA's KEV addition does not indicate current active exploitation. ↗
- ·CISA explicitly noted that KEV addition does not require current active exploitation — this entry reflects retrospective documentation of a resolved historical incident. ↗
- ·The last supported version of ASUS Live Update is 3.6.15 (end-of-support announced 2025/12/4); earlier guidance to upgrade to V3.6.8 or higher was the original 2019 fix. No new exploit or patch is involved. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f3f3-7gxj-g763: "UNSUPPORTED WHEN ASSIGNED" Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supp
ghsa_unreviewed·2025-12-17
CVE-2025-59374 [CRITICAL] CWE-506 GHSA-f3f3-7gxj-g763: "UNSUPPORTED WHEN ASSIGNED" Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supp
"UNSUPPORTED WHEN ASSIGNED" Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected. The Live Update client has already reached End-of-Support (EOS) in October 2021, and no currently supported devices or products are affected by this issue.
VulnCheck
ASUS Live Update Embedded Malicious Code Vulnerability
vulncheck·2025·CVSS 9.3
CVE-2025-59374 [CRITICAL] CWE-506 ASUS Live Update Embedded Malicious Code Vulnerability
ASUS Live Update Embedded Malicious Code Vulnerability
ASUS Live Update contains an embedded malicious code vulnerability client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Affected: ASUS Live Update
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.asus.com/news/hqfgvuyz6uyayje1/; https://www.cisa.gov/sites/default/files/feeds/known_exploit
CISA
ASUS Live Update Embedded Malicious Code Vulnerability
cisa·2025-12-17·CVSS 9.3
CVE-2025-59374 [CRITICAL] CWE-506 ASUS Live Update Embedded Malicious Code Vulnerability
Vulnerability: ASUS Live Update Embedded Malicious Code Vulnerability
Affected: ASUS Live Update
ASUS Live Update contains an embedded malicious code vulnerability client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.asus.com/support/faq/1018727/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-59374
Remediation Due
No detection rules found.
No public exploits indexed.
Bleepingcomputer
CISA flags ASUS Live Update CVE, but the attack is years old
blogs_bleepingcomputer·2025-12-22·CVSS 9.3
CVE-2025-59374 [CRITICAL] CISA flags ASUS Live Update CVE, but the attack is years old
## CISA flags ASUS Live Update CVE, but the attack is years old
## Ax Sharma
An ASUS Live Update vulnerability tracked as CVE-2025-59374 has been making the rounds in infosec feeds, with some headlines implying recent or ongoing exploitation.
The CVE documents a historic supply-chain attack in an End-of-Life (EoL) software product, not a newly emerging threat.
## Not all CISA KEVs signal urgency
Recent coverage of CVE-2025-59374 has framed the issue as a newly relevant security risk following its addition to CISA's Known Exploited Vulnerabilities (KEV) catalog.
A closer look, however, shows the reality is much more nuanced.
The CVE documents the 2018-2019 "ShadowHammer" supply-chain attack , in which maliciously modified ASUS Live Update binaries were selectively delivered to a smal
Recorded Future
December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
blogs_recorded_future·CVSS 7.8
CVE-2025-55182 [HIGH] December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
# December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
December 2025 witnessed a dramatic 120% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 22 vulnerabilities requiring immediate remediation, up from 10 in November. The month was dominated by widespread exploitation of Meta's React Server Components flaw.
What security teams need to know:
- React2Shell pandemonium: CVE-2025-55182 triggered a global exploitation wave with multiple threat actors deploying diverse malware families
- China-nexus exploitation intensifies: Earth Lamia, Jackpot Panda, and UAT-9686 leveraged critical flaws for espionage operations
- Public exploits proliferate: Eleven of 22 vulnerabilities have proof-of-conce
2025-12-17
Published
2025-12-17
Added to CISA KEV
Exploited in the wild