An ASUS Live Update vulnerability tracked as CVE-2025-59374 has been making the rounds in infosec feeds, with some headlines implying recent or ongoing exploitation.
The CVE documents a historic supply-chain attack in an End-of-Life (EoL) software product, not a newly emerging threat.
Not all CISA KEVs signal urgency
Recent coverage of CVE-2025-59374 has framed the issue as a newly relevant security risk following its addition to CISA's Known Exploited Vulnerabilities (KEV) catalog.
A closer look, however, shows the reality is much more nuanced.
The CVE documents the 2018-2019 "ShadowHammer" supply-chain attack, in which maliciously modified ASUS Live Update binaries were selectively delivered to a small number of targeted systems.
The CVE entry for the compromise, now-rated a 9.3 (Critical) on the CVSS scale, states:
"UNSUPPORTED WHEN ASSIGNED" Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected. The Live Update client has already reached End-of-Support (EOS) in October 2021, and no currently supported devices or products are affected by this issue.
The 'unsupported when assigned' text already suggests that the CVE was filed for an EoL product.
The primary vendor advisory linked to in the CVE entry is from 2019. This advisory additionally links to an FAQ: https://www.asus.com/support/faq/1018727/ bearing the last updated timestamp, 2025/12/06 20:09.
... continue reading