CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-59374, a critical vulnerability in ASUS Live Update, to its Known Exploited Vulnerabilities (KEV) catalog on December 18, 2025. This action follows confirmation of active exploitation linked to a supply chain compromise initially discovered in 2019.

Current security practices often struggle to address long-tail vulnerabilities and legacy software; ideal models assume prompt patching, but real-world deployments can lag due to compatibility concerns or end-of-life cycles. This flaw highlights the risk of vulnerabilities persisting in software even after initial mitigation attempts, potentially impacting organizations for years and incurring significant remediation costs.

Key Insights

• Operation ShadowHammer, 2018-2019: A sophisticated APT campaign targeting ASUS users via trojanized Live Update clients.
• Supply Chain Attacks: Demonstrate the difficulty of ensuring software integrity when relying on third-party components.
• End-of-Support (EOS): ASUS formally ended support for Live Update on December 4, 2025, exacerbating the risk for users who haven’t migrated.

Practical Applications

• Use Case: Organizations using ASUS devices should immediately discontinue use of Live Update and migrate to alternative update mechanisms.
• Pitfall: Relying on EOS software creates a significant security risk, as vendors no longer provide patches for newly discovered vulnerabilities.

References:

• https://thehackernews.com/2025/12/cisa-flags-critical-asus-live-update.html
• https://cve.org/CVE-2025-59374