CVE ID: CVE-2025-59374

Severity: CRITICAL | CVSS: 9.8

Sources: 2 different security sources

Let Me Explain What Happened

Let me walk you through something serious that happened with ASUS computers, though I want to reassure you right away—this affects only older, unsupported software. Attackers managed to sneak malicious code into certain versions of ASUS Live Update, a utility that helps keep ASUS computers up to date. Think of it like someone tampering with packages before they reach your doorstep—except in this case, the packages were software updates. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to their Known Exploited Vulnerabilities catalog on December 17, 2025, which means they have evidence that attackers are actively using this weakness in the wild.

A Bit More Detail

Here's what's particularly concerning about this situation: this wasn't a simple coding mistake or oversight. This was a deliberate supply chain attack where unauthorized modifications were introduced into the ASUS Live Update client before it reached users. The compromised versions contained embedded malicious code that could cause affected devices to perform unintended actions—but only if those devices met specific targeting conditions the attackers had programmed. The good news is that ASUS Live Update reached End-of-Support back in October 2021, meaning no currently supported devices or products are affected by this issue. However, CISA's decision to flag this vulnerability indicates they're seeing active exploitation attempts, likely targeting organizations that haven't fully retired older systems.

The Technical Specifics

• Attack Vector: NETWORK - Attackers can exploit this remotely over a network connection
• Attack Complexity: LOW - No special conditions are needed once the compromised software is installed
• Privileges Required: NONE - Attackers don't need any special access or credentials
• User Interaction: NONE - The malicious code can execute without any user action
• Scope: UNCHANGED - The vulnerability affects only the vulnerable component
• Impact: HIGH across Confidentiality, Integrity, and Availability - Attackers could potentially read sensitive data, modify system files, and disrupt operations
• CWE Classification: CWE-506 (Embedded Malicious Code) - This specifically identifies code that was intentionally inserted to perform unauthorized actions
• Affected Products: Certain versions of ASUS Live Update client (product reached End-of-Support in October 2021)
• CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Note: The Hacker News reported a CVSS score of 9.3, though the authoritative NVD data shows 9.8. Both scores place this firmly in the CRITICAL severity range.

Understanding Supply Chain Attacks

Let me take a moment to explain why supply chain compromises like this are so dangerous. Imagine you always buy your groceries from a trusted store—you don't inspect every item because you trust the source. Software works the same way. When you download an update from ASUS, you trust that it's legitimate and safe. Supply chain attacks exploit this trust by compromising the software before it reaches you. In this case, attackers managed to inject malicious code into the ASUS Live Update client during its distribution process, meaning users who downloaded what they thought was a legitimate update actually received compromised software.

What makes this particularly sophisticated is the targeted nature of the attack. The malicious code didn't activate on every infected system—it only performed its unintended actions on devices that met specific conditions. This selective targeting helps attackers avoid detection while focusing on their intended victims, whether those are specific organizations, geographic regions, or system configurations.

What You Should Do About This

• Right Now - Immediate Actions:
  • Inventory your systems: Check whether any computers in your environment still have ASUS Live Update installed. Since this software reached End-of-Support in October 2021, it should have been removed long ago, but legacy systems sometimes slip through the cracks.
  • Uninstall immediately: If you find ASUS Live Update on any systems, remove it immediately. There's no legitimate reason to keep End-of-Support software installed, and it represents a significant security risk.
  • Check for indicators of compromise: Review system logs for unusual network connections, unexpected process executions, or other anomalous behavior on systems that had ASUS Live Update installed. Pay particular attention to systems that might have met the attackers' targeting criteria.
  • Isolate suspicious systems: If you find any evidence of compromise, immediately isolate those systems from your network to prevent lateral movement.
• For the Long Term - Strategic Improvements:
  • Implement software lifecycle management: Create and enforce policies for identifying and removing End-of-Support software. This vulnerability highlights the risks of keeping outdated software in your environment.
  • Review your supply chain security: Evaluate how you verify the integrity of software updates. Consider implementing additional verification steps, such as checking digital signatures and using hash verification for downloaded software.
  • Monitor CISA's KEV catalog: Federal agencies are required to patch KEV vulnerabilities within specific timeframes, and private organizations should treat these as high-priority threats as well. Subscribe to CISA alerts to stay informed about actively exploited vulnerabilities.
  • Upgrade affected systems: If you're still running systems old enough to have used ASUS Live Update, it's time to seriously consider hardware and software upgrades. Systems this old likely have numerous other security vulnerabilities.
  • Enhance detection capabilities: Ensure your security monitoring can detect unusual behavior from legitimate software, as supply chain compromises can bypass traditional signature-based detection.

Detection and Hunting Guidance

If you're a security analyst or IT professional responsible for threat hunting, here's what you should look for:

• Process monitoring: Look for ASUS Live Update processes (typically named something like "LiveUpdate.exe" or similar) running on systems, especially those that haven't been updated recently.
• Network connections: Monitor for unexpected outbound connections from systems that had ASUS Live Update installed. The compromised versions would likely attempt to communicate with attacker-controlled infrastructure.
• File integrity: If you have baseline hashes for legitimate ASUS Live Update versions, compare them against what's installed on your systems to identify potentially compromised versions.
• Timeline analysis: Review when ASUS Live Update was installed or updated on systems. Installations or updates during the compromise window should be treated as suspicious.

The Broader Context

This vulnerability carries the designation "UNSUPPORTED WHEN ASSIGNED," which is important to understand. This means that when the CVE was officially assigned and published, the affected software was already past its End-of-Support date. ASUS stopped supporting Live Update in October 2021, more than four years before this CVE was published in December 2025. This raises an important question: why assign a CVE for unsupported software?

The answer lies in CISA's decision to add this to their Known Exploited Vulnerabilities catalog. Despite being unsupported, CISA has evidence that attackers are actively exploiting this vulnerability in the wild. This suggests that enough organizations still have this old software installed that it remains a viable attack vector. It's a reminder that attackers don't care whether software is supported—they care whether it's vulnerable and accessible.

Going Deeper: MITRE ATT&CK Framework Mapping

For those interested in the advanced threat intelligence perspective, this attack maps to several MITRE ATT&CK techniques:

• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain: The primary technique used here, where attackers compromised the ASUS Live Update software before it reached end users.
• T1554 - Compromise Client Software Binary: The attackers embedded malicious code directly into the legitimate software binary.
• T1027 - Obfuscated Files or Information: The selective activation based on targeting conditions suggests the malicious code was designed to avoid detection through conditional execution.
• T1071 - Application Layer Protocol: The compromised software likely used standard application protocols for command and control to blend in with legitimate traffic.

Why This Matters

Even though this affects End-of-Support software, this vulnerability serves as an important case study in several areas. First, it demonstrates that supply chain attacks remain a persistent and serious threat. Second, it highlights the importance of software lifecycle management—keeping outdated software around creates unnecessary risk. Third, it shows that even when vendors do the right thing by ending support for old products, organizations don't always follow through with removal, leaving themselves vulnerable.

The CRITICAL severity rating of 9.8 reflects the worst-case potential impact: remote exploitation requiring no authentication or user interaction, with high impact on confidentiality, integrity, and availability. While the targeted nature of the attack means not every infected system would be affected, any system that met the attackers' conditions would be fully compromised.

Where I Found This Information

• National Vulnerability Database - CVE-2025-59374 (Authoritative Source)
• ASUS Official Security Advisory
• CISA Known Exploited Vulnerabilities Catalog (Credibility: 10)
• CISA Alert - Three New KEV Additions (Credibility: 10)
• The Hacker News - CISA Flags Critical ASUS Live Update Flaw (Credibility: 7)

Note: This is automated security intelligence based on multiple sources. Always test updates carefully before applying them everywhere, and verify that any remediation steps are appropriate for your specific environment. When dealing with potential compromises, consider engaging incident response professionals to ensure thorough investigation and remediation.