Supply Chain Vulnerability in ASUS Live Update Client Affects Specific Devices
CVE-2025-59374

9.3CRITICAL

Key Information:

Vendor

Asus
Status
Live Update
Vendor
CVE Published:
17 December 2025

Badges

👾 Exploit Exists🟣 EPSS 35%🦅 CISA Reported📰 News Worthy

What is CVE-2025-59374?

The ASUS Live Update client experienced a significant vulnerability due to unauthorized modifications resulting from a supply chain compromise. Certain versions of the software were altered and distributed, leading to unintended actions on devices that met specific targeting conditions. Since these compromised versions are from a product that reached End-of-Support (EOS) in October 2021, only devices with these specific versions installed are affected. Users are urged to uninstall these outdated versions to safeguard their devices.

CISA has reported CVE-2025-59374

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-59374 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

live update before 3.6.6

News Articles

favicon imageBleepingComputer

Not all CISA-linked alerts are urgent: ASUS Live Update CVE-2025-59374

An ASUS Live Update vulnerability tracked as CVE-2025-59374 has been making the rounds in infosec feeds, with some headlines implying recent or ongoing exploitation. A closer look, however, shows the CVE documents a historic supply-chain attack in an End-of-Life (EoL) software product, not a new att...

3 weeks ago

favicon imageBleepingComputer

CISA flags ASUS Live Update CVE, but the attack is years old

An ASUS Live Update vulnerability tracked as CVE-2025-59374 has been making the rounds in infosec feeds, with some headlines implying recent or ongoing exploitation. A closer look, however, shows the CVE documents a historic supply-chain attack in an End-of-Life (EoL) software product, not a new att...

3 weeks ago

References

https://www.asus.com/news/hqfgvuyz6uyayje1/
vendor-advisory

EPSS Score

35% chance of being exploited in the next 30 days.

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 📰

    First article discovered by BleepingComputer

  • 👾

    Exploit known to exist

  • 🦅

    CISA Reported

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-59374 : Supply Chain Vulnerability in ASUS Live Update Client Affects Specific Devices