CVE DATABASE / CVE-2025-59374
CVE-2025-59374
ASUS Live Update Embedded Malicious Code Vulnerability
Confirmed exploited in the wild. Added 2025-12-17.
Federal remediation due 2026-01-07.
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Summary
"UNSUPPORTED WHEN ASSIGNED" Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected. The Live Update client has already reached End-of-Support (EOS) in October 2021, and no currently supported devices or products are affected by this issue.
CVSS 3.1 breakdown
| Base score | 9.8 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity | HIGH |
| Availability | HIGH |
Weakness type (CWE)
Affected products
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- https://www.asus.com/news/hqfgvuyz6uyayje1/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59374
Data: NIST NVD + CISA KEV. NVD last modified 2025-12-18. Always verify against the vendor advisory before acting.