CVE-2025-59374
CVE-2025-59374
Vexday Risk Score
58Attention
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 9.3EPSS 1.1%KEV simPoC —Nuclei —Metasploit —Patch referenciado
Lifecycle
17 Dec 2025Active exploitation (CISA KEV)
17 Dec 2025Published on NVD
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short
Versions of the ASUS Live Update client were tampered with during production, allowing attackers to make affected devices perform unwanted actions if specific conditions were met. Only older, unsupported devices that installed these compromised versions were at risk.
Technical detail
Supply chain compromise affecting ASUS Live Update client where unauthorized modifications were injected into distributed builds. Attack requires device to match specific targeting conditions and have installed the compromised version; impact includes arbitrary unintended device actions. Product reached EOS in October 2021; no currently supported versions or devices are affected.
Summary generated and translated by AI from the official description.
"UNSUPPORTED WHEN ASSIGNED" Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected. The Live Update client has already reached End-of-Support (EOS) in October 2021, and no currently supported devices or products are affected by this issue.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
ASUS · live updateWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →