- CISA added a critical Asus Live Update (CVE‑2025‑59374) supply chain compromise to KEV, linked to manipulated installers distributed before 2021
- The flaw stems from the 2018-2019 incident, where attackers planted malicious code on Asus update servers.
- Federal agencies must take action by January 7, and security companies are urging private organizations to do the same.
The US Cybersecurity and Infrastructure Security Agency (CISA) recently added a new critical vulnerability to its catalog of Known Exploited Vulnerabilities (KEV), meaning it has seen it abused in the wild.
The vulnerability affects Asus Live Update, a utility tool that comes pre-installed on many Asus laptops and desktops. Checks Asus servers for updates and installs them automatically, including BIOS files, firmware, drivers, and more.
According to the National Vulnerability Database (NVD), certain versions of the client were distributed “with unauthorized modifications introduced through a supply chain compromise.” These modified builds allow threat actors to “perform unwanted actions” on devices that meet certain targeting conditions. It’s also worth mentioning that the Live Update client reached end of support in October 2021.
Property of AISURU?
The bug is now tracked as CVE-2025-59374 and has been assigned a severity score of 9.3/10 (critical).
Hacker News notes that the vulnerability actually refers to a supply chain attack that was detected in March 2019. Back then, ASUS acknowledged that a group of advanced persistent threats had breached some of its servers between June and November 2018.
“A small number of devices have had malicious code implanted through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific group of users,” Asus said at the time, releasing version 3.6.8 to address the flaw.
Along with the Asus bug, CISA also added a Cisco bug affecting multiple products, as well as a bug affecting the SonicWall SMA1000.
Typically, when CISA adds flaws to KEV, it means that Federal Civil Executive Branch agencies have three weeks to fix or stop using the products altogether. As for the ASUS ruling, the agencies have until January 7 to fix it.
While it is not mandatory for private sector organizations, security companies often recommend that they also follow CISA’s guidance.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
