CVE-2025-59374 Overview
CVE-2025-59374 describes a critical supply chain compromise affecting certain versions of the ASUS Live Update client. Unauthorized modifications were introduced into legitimate software builds, causing devices meeting specific targeting conditions to perform unintended actions. This vulnerability is particularly concerning as it represents a sophisticated attack that leveraged trusted software distribution channels to deliver malicious code.
The compromised ASUS Live Update client was distributed through official channels, making detection extremely difficult for end users. The attack specifically targeted devices meeting certain criteria, suggesting a highly targeted operation rather than widespread opportunistic exploitation. While the Live Update client reached End-of-Support (EOS) in October 2021, and no currently supported devices or products are affected, this CVE serves as an important documentation of the supply chain compromise.
Critical Impact
Devices that installed compromised versions of ASUS Live Update could execute attacker-controlled code with elevated privileges, potentially leading to complete system compromise. This vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog, confirming active exploitation in the wild.
Affected Products
- ASUS Live Update (all versions prior to End-of-Support in October 2021)
- Windows-based ASUS devices utilizing the Live Update utility
- Systems that installed compromised software builds during the attack window
Discovery Timeline
- 2025-12-17 - CVE-2025-59374 published to NVD
- 2025-12-18 - Last updated in NVD database
Technical Details for CVE-2025-59374
Vulnerability Analysis
This vulnerability represents a supply chain attack (CWE-506: Embedded Malicious Code) where threat actors successfully compromised the ASUS software build and distribution infrastructure. The attackers injected malicious code into legitimate ASUS Live Update binaries before they were signed and distributed to users. Because the malicious updates were signed with valid ASUS certificates, the compromised software appeared completely legitimate to both users and security software.
The attack was highly targeted, with the malicious payload checking device identifiers against a hardcoded list before executing its malicious functionality. Only devices matching specific MAC addresses or other hardware identifiers would trigger the malicious behavior, allowing the attackers to focus on high-value targets while maintaining a low profile.
Root Cause
The root cause of this vulnerability stems from a compromise of ASUS's software supply chain infrastructure. Attackers gained access to the build or distribution system, enabling them to inject malicious code into software updates that were then digitally signed with legitimate ASUS certificates. This allowed the backdoored updates to bypass security controls that rely on code signing verification.
The embedded malicious code (CWE-506) was designed to:
- Check device identifiers against a targeting list
- Download additional payloads from attacker-controlled infrastructure
- Execute arbitrary commands on targeted systems
Attack Vector
The attack vector leverages the network-based software update mechanism of ASUS Live Update. Users who had the Live Update client installed would automatically download and install the compromised updates, trusting the valid digital signature. The attack required no user interaction beyond normal software update behavior.
The malicious functionality within the compromised updates would:
- Check targeting conditions - The malware examined device-specific identifiers (such as MAC addresses) against an embedded list
- Establish persistence - On targeted systems, the malware would install additional components for persistence
- Contact C2 infrastructure - Compromised systems would reach out to attacker-controlled servers to receive further instructions or payloads
- Execute payloads - Attacker-specified code would be executed with the privileges of the ASUS Live Update service
Detection Methods for CVE-2025-59374
Indicators of Compromise
- Presence of ASUS Live Update versions distributed during the compromise window with anomalous file hashes
- Network connections to known command-and-control infrastructure associated with this campaign
- Unexpected processes spawned by ASUS Live Update components
- Registry modifications or scheduled tasks created by compromised Live Update binaries
Detection Strategies
- Compare hashes of installed ASUS Live Update binaries against known-good and known-compromised hash lists published by ASUS
- Monitor for network traffic to indicators of compromise associated with this supply chain attack
- Review endpoint logs for suspicious behavior patterns from processes associated with ASUS system utilities
- Deploy behavioral detection rules to identify software update processes exhibiting anomalous command execution
Monitoring Recommendations
- Implement network monitoring for connections to known malicious infrastructure associated with this campaign
- Enable enhanced logging for system processes, particularly those related to software updates
- Review historical DNS queries and network connections from systems that may have had ASUS Live Update installed
- Configure endpoint protection to alert on targeting indicators specific to this supply chain compromise
How to Mitigate CVE-2025-59374
Immediate Actions Required
- Verify that ASUS Live Update is no longer installed or has been updated to a clean version using ASUS diagnostic tools
- Run the official ASUS Security Diagnostic Tool to check if your system was affected by the compromised software
- Perform a comprehensive security scan on systems that may have installed compromised versions
- Review network logs for connections to known malicious infrastructure and investigate any matches
Patch Information
ASUS has released updated versions of their software and diagnostic tools to address this supply chain compromise. According to the ASUS News Release, users should:
- Download and run the ASUS Security Diagnostic Tool to verify system integrity
- Ensure all ASUS software is updated to the latest clean versions
- Note that ASUS Live Update has reached End-of-Support (EOS) as of October 2021 and should be removed from systems
This vulnerability is tracked in the CISA Known Exploited Vulnerabilities Catalog, indicating organizations subject to CISA directives must prioritize remediation.
Workarounds
- Completely uninstall ASUS Live Update from affected systems, as the software has reached End-of-Support
- Block network indicators associated with this supply chain attack at the perimeter firewall
- Implement application allowlisting to prevent execution of compromised binaries
- Consider reimaging systems confirmed to have installed compromised versions to ensure complete remediation
- Enable Windows Defender Application Control or similar solutions to prevent execution of unsigned or malicious code
For systems where the ASUS Live Update client cannot be immediately removed, implement network-level blocks to prevent communication with known command-and-control infrastructure. Consult the ASUS security advisory for specific file hashes and network indicators to block.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
