cbcvebase.
CVE-2025-59374
published 2025-12-17

CVE-2025-59374: "UNSUPPORTED WHEN ASSIGNED" Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-01-07
Exploited in the wild
EPSS
1.08%
61.0th percentile
"UNSUPPORTED WHEN ASSIGNED" Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected. The Live Update client has already reached End-of-Support (EOS) in October 2021, and no currently supported devices or products are affected by this issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
asuslive_update< 3.6.83.6.8
asuslive_update

Detection & IOCsextracted from sources · hover to see the quote

  • This CVE documents the 2018-2019 'ShadowHammer' supply-chain attack in which maliciously modified ASUS Live Update binaries were selectively delivered to a small number of targeted systems — no new IOCs or signatures are present in the source material.
  • ·The CVE was retrospectively assigned to a historical (2018-2019) supply-chain compromise of ASUS Live Update; the product reached End-of-Support and no currently supported devices are affected. CISA's KEV addition does not indicate current active exploitation.
  • ·CISA explicitly noted that KEV addition does not require current active exploitation — this entry reflects retrospective documentation of a resolved historical incident.
  • ·The last supported version of ASUS Live Update is 3.6.15 (end-of-support announced 2025/12/4); earlier guidance to upgrade to V3.6.8 or higher was the original 2019 fix. No new exploit or patch is involved.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.