- CISA added a critical supply chain compromise Asus Live Update (CVE‑2025‑59374) to KEV, related to tampered installers distributed before 2021
- The flaw stems from a 2018-2019 incident, where attackers planted malicious code on Asus update servers.
- Federal agencies must address the problem by January 7, and security companies are urging private organizations to do the same.
The US Cybersecurity and Infrastructure Security Agency (CISA) recently added a new critical vulnerability to its Catalog of Known Vulnerabilities (KEV), meaning it has seen it being abused in the wild.
The vulnerability affects Asus Live Update, a utility that comes pre-installed on many Asus laptops and desktops. It checks Asus servers for updates, and installs them automatically, including BIOS files, firmware, drivers, and more.
According to the National Vulnerability Database (NVD), certain versions of the client were distributed “with unauthorized modifications introduced through supply chain compromise.” These modified versions allow threat actors to “perform unintended actions” on devices that meet certain targeting conditions. It’s also worth noting that the Live Update client reached end of support in October 2021.
Owned by AISURU?
The bug is now tracked as CVE-2025-59374 and has a severity score of 9.3/10 (Critical).
Hacker News The vulnerability actually refers to a supply chain attack that was spotted in March 2019. At the time, ASUS admitted to having an advanced persistent threat group compromising some of its servers between June and November 2018.
“A small number of devices have been seeded with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small, specific group of users,” Asus noted at the time, releasing version 3.6.8 to address the flaw.
In addition to the Asus bug, CISA also added a Cisco bug affecting multiple products, as well as a bug affecting the SonicWall SMA1000.
Typically, when CISA adds defects to a KEV, it means federal civilian enforcement agencies have a three-week deadline to fix the products or stop using them entirely. As for the ASUS bug, agencies have until January 7 to address it.
Although it is not mandatory for private sector organisations, security companies usually advise them to follow CISA instructions as well.
The best antivirus software for all budgets
Follow TechRadar on Google News and Add us as a favorite source Get expert news, reviews and opinions in your feeds. Make sure to click the follow button!
And of course you can too Follow TechRadar on TikTok To get news, reviews and unboxings in video form, and get regular updates from us on WhatsApp also.