- CISA added a critical supply chain compromise Asus Live Update (CVE‑2025‑59374) to KEV, related to tampered installers distributed before 2021.
- The flaw stems from the 2018-2019 incident, in which attackers planted malicious code on Asus update servers.
- Federal agencies must remedy the situation by January 7, and security companies are urging private organizations to follow suit.
The US Cybersecurity and Infrastructure Security Agency (CISA) recently added a new critical vulnerability to its catalog of Known Exploited Vulnerabilities (KEVs), meaning it has seen abuse in the wild.
The vulnerability affects Asus Live Update, a utility tool that comes pre-installed on many Asus laptops and desktops. It checks Asus servers for updates and installs them automatically, including BIOS files, firmware, drivers, etc.
According to the National Vulnerability Database (NVD), some client versions were distributed “with unauthorized modifications introduced via a supply chain compromise.” These modified versions allow threat actors to “perform unintended actions” on devices that meet certain targeting conditions. It’s also worth mentioning that the Live Update client reached end of support in October 2021.
Property of AISURU?
The bug is now tracked as CVE-2025-59374 and has received a severity score of 9.3/10 (critical).
Hacker news notes that the vulnerability actually refers to a supply chain attack that was spotted in March 2019. At the time, ASUS acknowledged that an advanced persistent threat group had breached some of its servers between June and November 2018.
“A small number of devices were implanted with malicious code via a sophisticated attack on our Live Update servers with the aim of targeting a very small and specific group of users,” Asus noted at the time, releasing version 3.6.8 to fix the flaw.
In addition to the Asus bug, CISA also added a Cisco flaw affecting multiple products, as well as a bug affecting SonicWall SMA1000.
Typically, when CISA adds vulnerabilities to KEV, it means that federal civilian executive branch agencies have three weeks to fix or stop using the products altogether. For the ASUS flaw, agencies have until January 7 to remedy it.
Although it is not required for private sector organizations, security companies generally advise them to follow CISA’s instructions as well.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
