Exploitation Summary
CVE-2025-59374 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 17, 2025.
Description
"UNSUPPORTED WHEN ASSIGNED" Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected. The Live Update client has already reached End-of-Support (EOS) in October 2021, and no currently supported devices or products are affected by this issue.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
https://www.asus.com/news/hqfgvuyz6uyayje1/
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59374
Scores
CVSS v3
9.8
EPSS
0.2063
EPSS Percentile
95.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
yes
Technical Impact
total
Details
CISA KEV
2025-12-17
VulnCheck KEV
2025-12-17
ENISA EUVD
EUVD-2025-203872
CWE
CWE-506
Status
published
Products (1)
asus/live_update
< 3.6.8
Published
Dec 17, 2025
KEV Added
Dec 17, 2025
Tracked Since
Feb 18, 2026