CVE-2025-59374 is a critical supply chain vulnerability identified in certain versions of the ASUS Live Update client software distributed before version 3.6.6. The vulnerability stems from unauthorized modifications embedded into the software builds via a supply chain compromise, classified under CWE-506 (Embedded Malicious Code). This malicious code could cause affected devices that meet specific targeting conditions to execute unintended and potentially harmful actions without requiring user interaction, privileges, or authentication. The compromised Live Update client reached End-of-Support in October 2021, meaning no currently supported ASUS devices or products are affected. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) indicates network attack vector, low attack complexity, no privileges or user interaction needed, and high impact on confidentiality, integrity, and availability. Although no exploits have been observed in the wild, the presence of embedded malicious code in a widely used update mechanism poses a significant risk. The vulnerability highlights the dangers of supply chain attacks, where trusted software components are compromised before distribution. Organizations with legacy ASUS hardware still running outdated Live Update clients are vulnerable to this threat and should take immediate action to mitigate risks.

The impact of CVE-2025-59374 is critical due to the potential for unauthorized code execution on affected devices without any user interaction or privileges. This can lead to severe confidentiality breaches, data integrity violations, and availability disruptions. Since the ASUS Live Update client is a trusted system component responsible for updating firmware and software, malicious modifications could allow attackers to deploy persistent backdoors, exfiltrate sensitive information, or disrupt system operations. The supply chain nature of the compromise increases the risk of widespread infection across organizations relying on ASUS hardware with legacy software. Although currently no active exploits are reported, the vulnerability could be leveraged in targeted attacks against organizations with outdated ASUS systems, potentially impacting sectors such as government, defense, manufacturing, and enterprises with large ASUS hardware deployments. The end-of-support status of the affected software complicates remediation and increases exposure for legacy systems still in operation.

1. Immediately identify and inventory all ASUS devices running the Live Update client versions prior to 3.6.6, especially those that have not been updated since before October 2021. 2. Disable or uninstall the ASUS Live Update client on legacy systems where possible to prevent execution of compromised update mechanisms. 3. For systems that require ASUS Live Update, upgrade to a supported version or apply vendor-provided patches if available; if no patches exist due to EOS status, consider hardware replacement or isolation of affected devices. 4. Implement network segmentation and strict egress filtering to limit the ability of compromised devices to communicate with external command and control servers. 5. Monitor network and endpoint logs for unusual activity indicative of exploitation attempts, such as unexpected process executions or network connections originating from ASUS update components. 6. Employ application allowlisting to prevent unauthorized code execution from the ASUS Live Update client directory. 7. Enhance supply chain security by validating software integrity using cryptographic signatures and verifying update sources. 8. Educate IT and security teams about the risks of legacy software and the importance of timely decommissioning or patching of unsupported components.