cbcvebase.

Asustor Adm vulnerabilities

24 known vulnerabilities affecting asustor/adm.

Total CVEs
24
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL4HIGH6MEDIUM12LOW2

Vulnerabilities

Page 1 of 2
CVE-2018-11510P1CRITICALCVSS 9.8ExploitedPoC≤ 3.1.2.rhg12018-06-28
CVE-2018-11510 [CRITICAL] CWE-78 CVE-2018-11510: The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerab The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerability in the portal/apis/aggrecate_js.cgi file by embedding OS commands in the 'script' parameter.
nvd
CVE-2026-24936P2CRITICALCVSS 9.8≥ 4.1.0, ≤ 4.3.3.ROF1≥ 5.0.0, ≤ 5.1.1.RCI12026-02-03
CVE-2026-24936 [CRITICAL] CWE-20 CVE-2026-24936: When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By exploiting this vulnerability, attackers can overwrite critical system files, leading to a complete
nvd
CVE-2023-2910P2HIGHCVSS 8.8≥ 4.0, ≤ 4.0.6.RIS1≥ 4.1, ≤ 4.1.0.RLQ1+1 more2023-08-17
CVE-2023-2910 [HIGH] CWE-77 CVE-2023-2910: Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Printer service functionality in ASUSTOR Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
nvd
CVE-2023-30770P3CRITICALCVSS 9.8≥ 4.0.0.rib4, ≤ 4.0.6.reg2≥ 4.1.0.rhu2, < 4.2.1.rge2+3 more2023-04-17
CVE-2023-30770 [CRITICAL] CWE-787 CVE-2023-30770: A stack-based buffer overflow vulnerability was found in the ASUSTOR Data Master (ADM) due to the la A stack-based buffer overflow vulnerability was found in the ASUSTOR Data Master (ADM) due to the lack of data size validation. An attacker can exploit this vulnerability to execute arbitrary code. Affected ADM versions include: 4.0.6.REG2, 4.1.0 and below as well as 4.2.0.RE71 and below.
nvd
CVE-2026-3179P3HIGHCVSS 8.1≥ 4.1.0, ≤ 4.3.3.ROF1≥ 5.0.0, ≤ 5.1.2.RE512026-02-25
CVE-2026-3179 [HIGH] CWE-22 CVE-2026-3179: The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when par The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacker can craft filenames containing path traversal sequences, causing the client to write files outside the intended backup directory. A path traversal vulnerability may allow an attacker to overwrite
nvd
CVE-2023-2909P3CRITICALCVSS 10.0≥ 4.0.0, ≤ 4.0.6.reg2≥ 4.1.0, ≤ 4.1.0rlq1+4 more2023-05-31
CVE-2023-2909 [CRITICAL] CWE-22 CVE-2023-2909: EZ Sync service fails to adequately handle user input, allowing an attacker to navigate beyond the i EZ Sync service fails to adequately handle user input, allowing an attacker to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below.
nvd
CVE-2022-37398P3HIGHCVSS 8.8≥ 3.5.0, ≤ 3.5.9.rue3≥ 4.0.0, ≤ 4.0.5.rvi1+4 more2022-08-05
CVE-2022-37398 [HIGH] CWE-121 CVE-2022-37398: A stack-based buffer overflow vulnerability was found inside ADM when using WebDAV due to the lack o A stack-based buffer overflow vulnerability was found inside ADM when using WebDAV due to the lack of data size validation. An attacker can exploit this vulnerability to run arbitrary code. Affected ADM versions include: 3.5.9.RUE3 and below, 4.0.5.RVI1 and below as well as 4.1.0.RJD1 and below.
nvd
CVE-2023-3697P3HIGHCVSS 8.8≥ 4.0, ≤ 4.0.6.RIS1≥ 4.1, ≤ 4.1.0.RLQ1+1 more2023-08-17
CVE-2023-3697 [HIGH] CWE-22 CVE-2023-3697: Printer service fails to adequately handle user input, allowing an remote unauthorized users to navi Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and create files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
nvd
CVE-2023-3698P3HIGHCVSS 8.1≥ 4.0, ≤ 4.0.6.RIS1≥ 4.1, ≤ 4.1.0.RLQ1+1 more2023-08-17
CVE-2023-3698 [HIGH] CWE-22 CVE-2023-3698: Printer service fails to adequately handle user input, allowing an remote unauthorized users to navi Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
nvd
CVE-2025-7699P3HIGHCVSS 7.1≥ 4.1.0, ≤ 4.3.3.RH61≥ 5.0.0, ≤ 5.0.0.RIN12025-07-16
CVE-2025-7699 [HIGH] CWE-287 CVE-2025-7699: An improper access control vulnerability was found in the EZ Sync Manager of ADM, which allows auth An improper access control vulnerability was found in the EZ Sync Manager of ADM, which allows authenticated users to copy arbitrary files from the server file system into their own EZSync folder. The vulnerability is due to a lack of authorization checks on the file parameter of the HTTP request. Attackers can exploit this flaw to access files outside t
nvd
CVE-2026-3100P3MEDIUMCVSS 6.5≥ 4.1.0, ≤ 4.3.3.ROF1≥ 5.0.0, ≤ 5.1.2.RE512026-02-25
CVE-2026-3100 [MEDIUM] CWE-295 CVE-2026-3100: The FTP Backup on the ADM will not properly strictly enforce TLS certificate verification while conn The FTP Backup on the ADM will not properly strictly enforce TLS certificate verification while connecting to an FTP server using FTPES/FTPS. An improper validated TLS/SSL certificates allows a remote attacker can intercept network traffic to perform a Man-in-the-Middle (MitM) attack, which may intercept, modify, or obtain sensitive information such a
nvd
CVE-2026-24933P3MEDIUMCVSS 5.9≥ 4.1.0, ≤ 4.3.3.ROF1≥ 5.0.0, ≤ 5.1.1.RCI12026-02-03
CVE-2026-24933 [MEDIUM] CWE-295 CVE-2026-24933: The API communication component fails to validate the SSL/TLS certificate when sending HTTPS request The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to intercept the cleartext communication, potentially leading to the exposure of sensitive user
nvd
CVE-2026-24935P3MEDIUMCVSS 5.6≥ 4.1.0, ≤ 4.3.3.ROF1≥ 5.0.0, ≤ 5.1.1.RCI12026-02-03
CVE-2026-24935 [MEDIUM] CWE-295 CVE-2026-24935: A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the sig A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the signaling server. While subsequent access to device services requires additional authentication, a Man-in-the-Middle (MitM) attacker can intercept or redirect the NAT tunnel establishment. This could allow an attacker to disrupt service availability or f
nvd
CVE-2026-24932P4MEDIUMCVSS 5.9≥ 4.1.0, ≤ 4.3.3.ROF1≥ 5.0.0, ≤ 5.1.1.RCI12026-02-03
CVE-2026-24932 [MEDIUM] CWE-295 CVE-2026-24932: The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL certificate. Although the connection uses HTTPS, an improper validated TLS/SSL certificates allows a remote attacker can intercept the communication to perform a Man-in-the-Middle (MitM) attack, which may obtain the sensitive information of DDNS upda
nvd
CVE-2025-13052P3MEDIUMCVSS 5.9≥ 4.1.0, ≤ 4.3.3.RKD2≥ 5.0.0, ≤ 5.1.0.RN422025-12-12
CVE-2025-13052 [MEDIUM] CWE-295 CVE-2025-13052: When the user set the Notification's sender to send emails to the SMTP server via msmtp, an improper When the user set the Notification's sender to send emails to the SMTP server via msmtp, an improper validated TLS/SSL certificates allows an attacker who can intercept network traffic between the SMTP client and server to execute a man-in-the-middle (MITM) attack, which may obtain the sensitive information of the SMTP. Affected products and versio
nvd
CVE-2025-7378P4MEDIUMCVSS 6.0≥ 4.1, < 4.3.1.R5A12025-07-09
CVE-2025-7378 [MEDIUM] CWE-20 CVE-2025-7378: An improper Input Validation vulnerability allows injecting arbitrary values of the NAS configuratio An improper Input Validation vulnerability allows injecting arbitrary values of the NAS configuration file in ASUSTOR ADM. This could potentially lead to system misconfiguration and break the format of the configuation file, causing the NAS to exhibit unexpected behavior. This issue affects ADM: from 4.1 before 4.3.1.R5A1.
nvd
CVE-2023-4475P4MEDIUMCVSS 5.5≥ 4.0, ≤ 4.0.6.RIS1≥ 4.1, ≤ 4.1.0.RLQ1+1 more2023-08-22
CVE-2023-4475 [MEDIUM] CWE-552 CVE-2023-4475: An Arbitrary File Movement vulnerability was found in ASUSTOR Data Master (ADM) allows an attacker t An Arbitrary File Movement vulnerability was found in ASUSTOR Data Master (ADM) allows an attacker to exploit the file renaming feature to move files to unintended directories. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.
nvd
CVE-2023-2509P4MEDIUMCVSS 6.1v4.0.0v4.0.6+5 more2023-05-17
CVE-2023-2509 [MEDIUM] CWE-79 CVE-2023-2509: A Cross-Site Scripting(XSS) vulnerability was found on ADM, LooksGood and SoundsGood Apps. An attack A Cross-Site Scripting(XSS) vulnerability was found on ADM, LooksGood and SoundsGood Apps. An attacker can exploit this vulnerability to inject malicious scripts into the target applications to access any cookies or sensitive information retained by the browser and used with that application. Affected products and versions include: ADM 4.0.6.REG2, 4.1.
nvd
CVE-2025-7379P4MEDIUMCVSS 5.2≥ 1.1.0, < 1.1.0.r207≥ 1.2.0, < 1.2.0.r2062025-07-09
CVE-2025-7379 [MEDIUM] CWE-352 CVE-2025-7379: A security bypass vulnerability allows exploitation via Reverse Tabnabbing, a type of phishing attac A security bypass vulnerability allows exploitation via Reverse Tabnabbing, a type of phishing attack where attackers can manipulate the content of the original tab, leading to credential theft and other security risks. This issue affects DataSync Center: from 1.1.0 before 1.1.0.r207, and from 1.2.0 before 1.2.0.r206.
nvd
CVE-2025-7618P4MEDIUMCVSS 4.8≥ 4.1.0, ≤ 4.3.3.RH61≥ 5.0.0, ≤ 5.0.0.RIN1+1 more2025-07-14
CVE-2025-7618 [MEDIUM] CWE-79 CVE-2025-7618: A stored Cross-Site Scripting (XSS) vulnerability vulnerability was found in the File Explorer and T A stored Cross-Site Scripting (XSS) vulnerability vulnerability was found in the File Explorer and Text Editor of ADM. An attacker could exploit this vulnerability to inject malicious scripts into the applications, which may then access cookies or other sensitive information retained by the browser and used with the affected applications. Affected prod
nvd
Asustor Adm vulnerabilities | cvebase