CISA has added a brand new ASUS vulnerability to its Recognized Exploited Vulnerabilities (KEV) catalog, signaling pressing danger for affected customers and organizations.
The flaw, tracked as CVE-2025-59374, impacts ASUS Stay Replace, a utility generally used to ship firmware and software program updates to ASUS gadgets.
In response to the advisory, particular ASUS Stay Replace shoppers had been distributed with embedded malicious code after attackers launched unauthorized modifications by a provide chain compromise.
These modified builds may cause gadgets that meet particular concentrating on situations to carry out unintended actions.
AttributeDetailsCVE IDCVE-2025-59374Affected ProductASUS Stay UpdateVulnerability TypeEmbedded Malicious CodeRelated CWECWE-506Attack VectorSupply Chain CompromiseImpactUnintended system actions, potential malware deploymentProduct StatusEnd-of-Life (EoL) / Finish-of-Service (EoS)
Doubtlessly permitting attackers to realize management, deploy malware, or additional compromise sufferer environments.
The precise concentrating on logic has not been publicly detailed. Nevertheless, the presence of tailor-made situations suggests a centered and doubtlessly superior marketing campaign.
CISA notes that the impacted product might already be end-of-life (EoL) or end-of-service (EoS). This will increase danger as a result of such merchandise typically not obtain safety updates.
In consequence, the company advises customers and organizations to discontinue use of the product if efficient mitigations should not out there.
The vulnerability is related to CWE-506 (Embedded Malicious Code), a weak point class that covers eventualities the place malicious content material is inserted into in any other case official software program.
This type of provide chain compromise is hazardous as a result of it abuses belief in vendor replace mechanisms and may scale shortly throughout many methods.
It’s at the moment unknown whether or not CVE-2025-59374 is being utilized in ransomware campaigns. Its inclusion within the KEV catalog means energetic exploitation has been noticed within the wild.
CISA requires U.S. federal civilian companies to apply vendor mitigations or discontinue use by January 7, 2026, and strongly urges all different organizations to comply with the identical steerage.
Safety groups ought to instantly evaluate their environments for affected ASUS Stay Replace deployments and apply any out there vendor fixes. When mitigations should not possible, take away or exchange affected software program as shortly as attainable.
AI-Powered ISO 27001, SOC 2, NIST, NIS 2, and GDPR Compliance Guidelines => Begin for Free
