The CVE-2025-59374 relates to a historic supply-chain attack on ASUS Live Update software, specifically the ShadowHammer incident from 2018-2019. This CVE has been added to CISAβs KEV catalog mainly for documentation purposes, not because of recent active exploitation. #ShadowHammer #CVE2025-59374
Keypoints
- The CVE-2025-59374 documents a past supply-chain attack involving ASUS Live Update software from 2018-2019.
- The affected software is End-of-Life, with no supported devices currently impacted by the vulnerability.
- The CVEβs addition to CISAβs KEV catalog appears to be retrospective, not indicating active exploitation.
- Despite the end of support, ASUSβs recent FAQ updates contain older remediation guidance and version information.
- Security teams should understand that not all CVEs linked to KEV require immediate action, especially for deprecated products.