A critical vulnerability in ASUS Live Update, tracked as CVE-2025-59374, has been actively exploited in the wild, prompting its addition to CISA's Known Exploited Vulnerabilities (KEV) catalog on December 17, 2025. This zero-day flaw, with a CVSS score of 9.8, was leveraged by attackers before its public disclosure, highlighting a significant supply chain compromise.
The vulnerability, categorized under CWE-506, involves unauthorized modifications to certain versions of the ASUS Live Update client. These modifications were introduced through a supply chain attack, allowing attackers to manipulate the software to perform unintended actions on targeted devices. The exploitation of this flaw underscores the critical nature of supply chain security, as it enables attackers to bypass traditional security measures by embedding malicious code directly into trusted software updates.
The exploitation of CVE-2025-59374 has been confirmed, with the Exploit Prediction Scoring System (EPSS) rating it at 0.347, indicating a moderate likelihood of exploitation. The Security Severity Vulnerability Classification (SSVC) has marked this vulnerability as requiring immediate action, urging organizations to prioritize patching and mitigation efforts.
ASUS has yet to release a patch for the affected versions of the Live Update client. Organizations using ASUS Live Update are advised to monitor for updates and apply them as soon as they become available. In the interim, disabling the Live Update feature or implementing network-level protections may help mitigate the risk of exploitation. Security teams should also review their supply chain security practices to prevent similar incidents in the future.
CSURFACE