CISA Adds Critical ASUS Live Update Vulnerability to KEV Catalog Amid Active Exploitation

On December 4, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability in ASUS Live Update to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, identified as CVE-2025-59374 with a CVSS score of 9.3, is described as an "embedded malicious code vulnerability" introduced via a supply chain compromise. The inclusion in CISA's KEV catalog indicates that this vulnerability is being actively exploited in the wild. Supply chain vulnerabilities are particularly concerning as they exploit the trust between software vendors and customers, potentially allowing malicious code distribution through legitimate update mechanisms. Given the high CVSS score and evidence of active exploitation, organizations using ASUS Live Update should prioritize patching this vulnerability immediately. However, the announcement lacks detailed technical information and impact assessment, making it challenging to provide specific mitigation strategies. Cybersecurity professionals should monitor for updates from ASUS and CISA and consider implementing additional monitoring for any signs of exploitation. The lack of detailed technical information in the initial announcement highlights the importance of proactive monitoring and rapid response to emerging threats.