Okay,here’s a summary of the key points from the provided text,focusing on the confusion surrounding the ASUS Live Update CVE and its implications:
* The CVE is for a 2019 issue: The vulnerability itself dates back to 2019. The recent CVE assignment (in 2025) doesn’t necessarily mean renewed active exploitation.
* FAQ Page is Misleading: The ASUS FAQ page was updated in December 2025, but doesn’t show the original publication date of the data. It simply reflects recent revisions. It also contains conflicting information regarding end-of-support dates.
* Retrospective Classification: Evidence suggests the CVE assignment is a retrospective effort to formally document a known attack from 2019, rather than a response to new exploitation. CISA stated that vulnerabilities can be added to the KEV catalog even without current active exploitation.
* Conflicting End-of-Support Information: The CVE entry states ASUS Live Update reached End-of-Support in October 2021.However,the updated FAQ page claims support ended on December 4,2025.
* Placeholder Page: The FAQ appears to be a regularly updated page providing information on the latest version of Live Update.
* Old Screenshots: the FAQ still includes screenshots with 2019 dates, further indicating it’s a periodically revised page, not a response to a new threat.
* ASUS & CISA unresponsive: BleepingComputer attempted to get clarification from both ASUS and CISA but received limited responses.
In essence, the article argues that the recent CVE assignment is likely a formality, and the updated FAQ page is confusing and potentially misleading, creating unneeded alarm about a vulnerability that is already considered resolved for supported systems. The key takeaway is to ensure you have the latest patched version if you are still using a version of the software, but the software is officially end-of-life.
