- CISA added a critical Asus Live Update supply chain compromise (CVE-2025-59374) to KEV linked to engineered installers distributed before 2021
- The bug stems from the 2018-2019 incident where attackers implanted malicious code on Asus update servers
- Federal agencies must remediate by Jan. 7, and security firms urge private organizations to follow suit
The US Cybersecurity and Infrastructure Security Agency (CISA) recently added a new critical vulnerability to its catalog of known exploited vulnerabilities (KEV), meaning it has seen it being exploited in the wild.
The vulnerability plagues Asus Live Update, a utility that comes pre-installed on many Asus laptops and desktops. It checks Asus servers for updates and installs them automatically, including BIOS files, firmware, drivers and more.
According to the National Vulnerability Database (NVD), certain versions of the client were distributed “with unauthorized changes introduced through a supply chain compromise”. These modified builds allow threat actors to “perform unintended actions” on devices that meet certain targeting conditions. It is also worth mentioning that the Live Update client reached the end of support in October 2021.
Owned by AISURU?
The bug is now tracked as CVE-2025-59374 and was given a severity score of 9.3/10 (Critical).
Hacker News notes that the vulnerability actually refers to a supply chain attack discovered in March 2019. At the time, ASUS acknowledged an advanced persistent threat group breaching some of its servers between June and November 2018.
“A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group,” Asus noted at the time, releasing version 3.6.8 to address the bug.
Along with the Asus bug, CISA also added a Cisco bug affecting multiple products, as well as a bug plaguing the SonicWall SMA1000.
Normally, when CISA adds deficiencies to the KEV, it means that Federal Civilian Executive Branch agencies have a three-week window to correct or stop using the products altogether. For the ASUS bug, agencies have until January 7 to fix it.
Although not mandatory for private sector organisations, security firms usually advise them to follow CISA’s instructions as well.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
