CVE-2025-59374

CRITICALCISA KEV

9.8

Description

"UNSUPPORTED WHEN ASSIGNED" Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected. The Live Update client has already reached End-of-Support (EOS) in October 2021, and no currently supported devices or products are affected by this issue.

CVE Details

CVSS v3.1 Score9.8

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published12/17/2025

Last Modified12/18/2025

Sourcekev

Honeypot Sightings0

CISA KEV

VendorASUS

ProductLive Update

Vulnerability NameASUS Live Update Embedded Malicious Code Vulnerability

KEV Date Added2025-12-17

Remediation Due Date2026-01-07

Ransomware UseUnknown

Affected Products

asus:live_update

Weaknesses (CWE)

CWE-506

References

https://www.asus.com/news/hqfgvuyz6uyayje1/(54bf65a7-a193-42d2-b1ba-8e150d3c35e1)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59374(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.