vulnerability🌐InternationalBleepingComputer
Not all CISA-linked alerts are urgent: ASUS Live Update CVE-2025-59374
Monday, December 22, 2025
What
The CVE-2025-59374 vulnerability documents the 'ShadowHammer' supply-chain attack where compromised ASUS Live Update binaries were delivered to targeted systems. Despite its critical CVSS rating of 9.3, the software has not been supported since October 2021, meaning no currently supported devices are affected. The recent addition of this CVE to CISA's KEV catalog has been misinterpreted as a sign of ongoing exploitation, when in fact it formalizes a historical issue.
Where
Global, affecting users of ASUS Live Update software.
When
The original attack occurred between 2018 and 2019, with the CVE being assigned in December 2025.
Key Factors
- •CVE-2025-59374 relates to a supply-chain attack from 2018-2019.
- •ASUS Live Update reached End-of-Life in October 2021.
- •The CVE's addition to the KEV catalog does not indicate current exploitation.
Takeaways
- →Organizations should critically assess the urgency of CISA-linked CVEs, especially for EoL products.
- →Media coverage can sometimes misrepresent the significance of vulnerabilities, leading to unnecessary alarm.
- →Users should ensure they are using supported software to avoid vulnerabilities.
Read Full Article
Opens original article on BleepingComputer
