The recent chatter around CVE‑2025‑59374 has led some to believe ASUS Live Update is facing a new wave of exploitation. In reality, this CVE documents the historic 2018–2019 ShadowHammer supply‑chain attack, not a fresh incident.
Key Points
- CVE‑2025‑59374 describes malicious ASUS Live Update binaries distributed during the ShadowHammer attack.
- The affected software is End‑of‑Life (EoL): ASUS Live Update reached end of support in October 2021.
- Despite its addition to CISA’s Known Exploited Vulnerabilities (KEV) catalog, there is no evidence of current exploitation.
- CISA clarified that KEV entries can include older vulnerabilities if they were exploited historically — addition does not imply ongoing attacks.
FAQ & Advisory Confusion
- ASUS’ FAQ page was updated in December 2025, but this was a documentation refresh, not a new advisory.
- Screenshots and remediation guidance still date back to 2019, showing continuity with the original ShadowHammer fix.
- The FAQ now lists version 3.6.15 as the “last version,” but this release existed as early as March 2024.
- Earlier advice (2019–2022) recommended upgrading to 3.6.8 or higher, which already resolved the issue.
Practical Guidance
- No currently supported ASUS products are affected.
- If you still run ASUS Live Update, ensure you are on the latest version (3.6.15).
- Treat this CVE as historical documentation, not an urgent patching requirement.
- Security teams should be cautious when interpreting CISA KEV entries — not all signal immediate risk, especially for retired software.
Takeaway
CVE‑2025‑59374 is a formalized record of the ShadowHammer attack, not a new supply‑chain compromise. The KEV listing reflects retrospective classification, not active exploitation. For defenders, the lesson is clear: context matters — not every KEV addition demands urgent action, particularly when the product is long out of support.
Leave a Reply