CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical ASUS Live Update Flaw Added to CISA KEV Catalog

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

CISA has added a critical flaw in ASUS Live Update (CVE-2025-59374, CVSS 9.3) to its KEV catalog due to active exploitation. The vulnerability stems from a supply chain compromise that allowed unauthorized modifications in certain versions, enabling attackers to perform unintended actions. The flaw is linked to the 2019 Operation ShadowHammer campaign by the APT41 group, which targeted around 600 specific devices. The attack was uncovered in January 2019, and Asus released a patch by March the same year. ASUS Live Update reached end-of-support on December 4, 2025, and CISA urges FCEB agencies to discontinue its use by January 7, 2026. The CVE assignment reflects a retrospective classification effort, formally documenting a well-known attack that predated CVE issuance. The updated ASUS FAQ page from December 2025 contradicts the CVE entry, implying that support definitively ended on December 4, 2025, with version 3.6.15 being the last version. The FAQ page continues to display older remediation guidance with screenshots bearing 2019 dates, recommending upgrading to version 3.6.8 or higher to resolve security concerns.

Timeline

  1. 18.12.2025 07:01 4 articles · 5d ago

    CISA Adds Critical ASUS Live Update Flaw to KEV Catalog

    CISA has added a critical flaw in ASUS Live Update (CVE-2025-59374, CVSS 9.3) to its KEV catalog due to active exploitation. The vulnerability stems from a supply chain compromise that allowed unauthorized modifications in certain versions, enabling attackers to perform unintended actions. The flaw is linked to the 2019 Operation ShadowHammer campaign by the APT41 group, which targeted around 600 specific devices. The attack was uncovered in January 2019, and Asus released a patch by March the same year. ASUS Live Update reached end-of-support on December 4, 2025, and CISA urges FCEB agencies to discontinue its use by January 7, 2026. The CVE assignment reflects a retrospective classification effort, formally documenting a well-known attack that predated CVE issuance. The updated ASUS FAQ page from December 2025 contradicts the CVE entry, implying that support definitively ended on December 4, 2025, with version 3.6.15 being the last version. The FAQ page continues to display older remediation guidance with screenshots bearing 2019 dates, recommending upgrading to version 3.6.8 or higher to resolve security concerns.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

UEFI Flaw Enables Early-Boot DMA Attacks on Multiple Motherboard Vendors

A security vulnerability in UEFI implementations on motherboards from ASRock, ASUS, GIGABYTE, and MSI allows early-boot DMA attacks. The flaw, discovered by researchers at Riot Games, occurs due to a discrepancy in DMA protection status, where the firmware indicates DMA protection is active but fails to enable the IOMMU during the boot phase. This gap allows malicious PCIe devices with physical access to read or modify system memory before the operating system's security features are established. The vulnerabilities, tracked as CVE-2025-14304, CVE-2025-11901, CVE-2025-14302, and CVE-2025-14303, affect various chipset series from the mentioned vendors. Successful exploitation could enable pre-boot code injection and access to sensitive data. Vendors have released firmware updates to address the issue, and users are advised to apply these updates promptly. The vulnerability was discovered by Riot Games researchers Nick Peterson and Mohamed Al-Sharifi, who worked with CERT Taiwan to coordinate a response. On vulnerable systems, some Riot Games titles, such as Valorant, will not launch due to the Vanguard system, which blocks the game to ensure system integrity.

Open in new tab

SAP December 2025 Security Updates Address Three Critical Vulnerabilities

SAP released December 2025 security updates fixing 14 vulnerabilities, including three critical flaws across multiple products. The most severe issue, CVE-2025-42880 (CVSS 9.9), is a code injection flaw in SAP Solution Manager ST 720, allowing authenticated attackers to execute malicious code and gain full system control. Another critical flaw, CVE-2025-55754 (CVSS 9.6), affects SAP Commerce Cloud components due to multiple Apache Tomcat vulnerabilities. The third critical flaw, CVE-2025-42928 (CVSS 9.1), is a deserialization vulnerability in SAP jConnect that could enable remote code execution under certain conditions. SAP solutions are widely used in enterprise environments, managing sensitive and high-value workloads, making them attractive targets for attackers. While none of the flaws are marked as actively exploited, administrators are urged to apply the fixes promptly.

Open in new tab

Microsoft December 2025 Patch Tuesday addresses 3 zero-days, 56 flaws

Microsoft's December 2025 Patch Tuesday addresses 56 vulnerabilities, including three zero-days. One zero-day (CVE-2025-62221) is actively exploited, allowing privilege escalation in Windows Cloud Files Mini Filter Driver. Two other zero-days (CVE-2025-64671, CVE-2025-54100) are publicly disclosed, affecting GitHub Copilot for JetBrains and PowerShell. The updates also fix 3 critical remote code execution vulnerabilities. Additionally, Microsoft released the KB5071546 extended security update for Windows 10 Enterprise LTSC and ESU program participants, addressing the same vulnerabilities and updating Windows 10 to build 19045.6691 and Windows 10 Enterprise LTSC 2021 to build 19044.6691. The update includes a fix for CVE-2025-54100, a remote code execution zero-day vulnerability in PowerShell, and introduces a confirmation prompt with a security warning for script execution risk when using the Invoke-WebRequest command in PowerShell 5.1. Microsoft patched a total of 1,275 CVEs in 2025, according to data compiled by Fortra. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-62221 to the Known Exploited Vulnerabilities (KEV) catalog, mandating FCEB agencies to apply the patch by December 30, 2025. The remaining two zero-days, CVE-2025-54100 and CVE-2025-64671, are part of a broader set of security vulnerabilities collectively named IDEsaster, affecting multiple AI coding platforms.

Open in new tab

Critical Command Injection Vulnerabilities in TP-Link Omada Gateways

TP-Link Omada and Festa VPN routers are affected by six critical command injection vulnerabilities, including newly discovered CVE-2025-7850 and CVE-2025-7851. These flaws allow for arbitrary OS command execution and root access, potentially leading to full compromise, data theft, lateral movement, and persistence. The vulnerabilities affect multiple Omada gateway models and firmware versions. Firmware updates have been released to address these issues. TP-Link Omada gateways are full-stack solutions for small to medium businesses, including router, firewall, and VPN gateway functionalities. The flaws, CVE-2025-6542 and CVE-2025-6541, can be exploited remotely without authentication or via the web management interface. Two additional severe flaws, CVE-2025-8750 and CVE-2025-7851, can allow authenticated command injection and root access under certain conditions. The newly discovered vulnerabilities, CVE-2025-7850 and CVE-2025-7851, are due to an incomplete fix of a previous vulnerability, CVE-2024-21827, leaving residual debug code and insecure private key usage.

Open in new tab

Unauthenticated access vulnerability in Oracle E-Business Suite Configurator

A critical vulnerability in Oracle E-Business Suite (EBS) allows unauthenticated attackers to access sensitive data via HTTP. The flaw, CVE-2025-61884, affects versions 12.2.3 through 12.2.14 and has a CVSS score of 7.5. CISA has confirmed that the vulnerability is being exploited in attacks and has added it to its Known Exploited Vulnerabilities catalog. Oracle has issued an emergency security update and patch, but exploitation in the wild has been reported. The vulnerability is in the Runtime UI component and could lead to unauthorized access to critical data. Oracle has silently fixed the vulnerability after it was actively exploited and a proof-of-concept exploit was leaked by the ShinyHunters extortion group. This development follows recent disclosures of zero-day exploitation in EBS software, attributed to a group with ties to the Clop ransomware group. The Clop group has been involved in major data theft campaigns targeting zero-days in Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer.

Open in new tab