- About Us
We 365 Admin Support, just simplify your IT problems
Call for a free support. +91 96666 59505Platform Partnership
The vulnerability in ASUS Live Update, known as CVE-2025-59374, has gained attention in cybersecurity circles, with some reports suggesting a new or ongoing exploitation.
This CVE actually documents an older supply-chain attack related to an End-of-Life (EoL) software product rather than a fresh threat.
Recent narratives around CVE-2025-59374 have branded it as a pertinent security concern after its inclusion in the CISA’s Known Exploited Vulnerabilities (KEV) catalog.
A more in-depth examination, however, reveals a more intricate picture.
The CVE pertains to the 2018-2019 “ShadowHammer” supply-chain attack, during which compromised ASUS Live Update binaries were distributed to a select group of targeted systems.
The CVE entry for this incident, currently rated 9.3 (Critical) on the CVSS scale, states:
“UNSUPPORTED WHEN ASSIGNED” Some versions of the ASUS Live Update client were distributed with unauthorized alterations made during a supply chain breach. These modified versions could cause specific devices to execute unintended tasks. Only the devices that met certain targeting conditions and had installed the altered versions were affected. The Live Update client reached its End-of-Support (EOS) in October 2021; thus, no currently supported devices or products are impacted by this vulnerability.
The phrase ‘unsupported when assigned‘ indicates the CVE was registered for an EoL product.
The main vendor advisory linked in the CVE entry is from 2019, which refers to an FAQ: https://www.asus.com/support/faq/1018727/ , last updated on 2025/12/06 20:09.
It is worth noting that this FAQ link was already in place back in 2019 when the advisory was first released.
BleepingComputer has observed that the FAQ does not provide the initial publication timestamp metadata; instead, it has merely been updated this month, showing the December 6th date.
The archived versions clarify the page’s intent, showing that recent modifications do not automatically imply renewed risks from the 2019 situation.
The FAQ seems to act as ASUS’ placeholder page, periodically updated to share the latest version users should adopt for their Live Update utility.
Moreover, the page still contains older remediation guidance, complete with 2019 timestamps:
For further insights on the 2025 CVE assignment, BleepingComputer reached out to ASUS ahead of publication but did not receive a response.
We also contacted CISA to learn what led to the CVE’s entry in the KEV catalog.
CISA opted not to provide further comments, directing BleepingComputer to the language found in Binding Operational Directive 22-01, which states:
“The inclusion of a vulnerability in the KEV catalog does not indicate that CISA has detected ongoing active exploitation. Proper reporting of active exploitation could qualify any vulnerability for KEV catalog addition, regardless of its age.”
The available evidence suggests that the CVE assignment is more retrospective in nature, officially documenting a notable incident that predates its issuance.
Users should ensure they have the most updated, patched version of the product.
The CVE entry states that the affected software, ASUS Live Update, reached End-of-Support (EOS) status in October 2021, clarifying that “no currently supported devices or products are impacted by this issue.”
However, the latest ASUS FAQ page contradicts this by suggesting that support definitively ended on December 4, 2025:
“We announced end of support for ASUS LiveUpdate on 2025/12/4, the last version is 3.6.15.“
Previous versions (2019-22) of the FAQ recommended upgrading to “V3.6.8 or higher” to address security concerns, as a fix had been implemented then. That outdated guidance remains unchanged on the updated FAQ from this month.
Version 3.6.15 is now described as the “last version.” This version seems to have been available as early as March 2024, suggesting there is no new urgency surrounding upgrades—contrary to typical calls for quick action following supply chain compromises.
CVE-2025-59374 simply formalizes a well-documented historical incident. The FAQ updates, outdated remediation guidance, the latest utility release, and the context from CISA indicate that the page was revised for documentation, not to address a current exploit or to signal an immediate threat.
Security teams should, therefore, be cautious in interpreting CISA-linked CVEs as urgent, especially for outdated software or previously resolved incidents.
Broken IAM isn’t just an IT problem – its effects resonate throughout your entire organization.
This practical guide highlights why conventional IAM practices fall short against contemporary demands, offers examples of effective IAM solutions, and includes a straightforward checklist for developing a scalable strategy.
