A serious vulnerability has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency. The vulnerability is known as a "embedded malicious code vulnerability" and is tracked as CVE-2025-59374.

It was brought about by a supply chain breach that might enable attackers to carry out inadvertent actions. The announcement that the Live Update client has reached end-of-support (EOS) as of December 4, 2025 was made by ASUS a few weeks prior. CISA has asked Federal Civilian Executive Branch (FCEB) agencies that continue to use the software, which is currently at version 3.6.15, to stop using it by January 7, 2026.

"ASUS is dedicated to software security and continuously offers real-time updates to help protect and improve devices," the business stated. stated on a support page. "Please update the ASUS Live Update to V3.6-8 or higher version to resolve security concerns," the message continued.

"In an effort to target a very small and specific user group, a sophisticated attack on our Live Update servers resulted in the implantation of malicious code on a small number of devices, ASUS reported at the time.