Asustor Adm
25 CVEs affecting Asustor Adm. Latest disclosed: 2026-02-25. Critical: 2, High: 11.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-24936 | Critical | 9.8 | 2026-02-03 | When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowin… |
CVE-2018-11510 | Critical | 9.8 | 2018-06-28 | The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerability in the portal/apis/aggrecate_js.cgi file by embedding… |
CVE-2023-2910 | High | 8.8 | 2023-08-17 | Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Printer service functionality in ASUSTOR Data Master (ADM)… |
CVE-2023-3699 | High | 8.7 | 2023-08-22 | An Improper Privilege Management vulnerability was found in ASUSTOR Data Master (ADM) allows an unprivileged local users to modify the storage devices configur… |
CVE-2023-2749 | High | 8.6 | 2023-05-31 | Download Center fails to properly validate the file path submitted by a user, An attacker can exploit this vulnerability to gain unauthorized access to sensiti… |
CVE-2023-3698 | High | 8.5 | 2023-08-17 | Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and delete fil… |
CVE-2023-3697 | High | 8.5 | 2023-08-17 | Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory structure and create fil… |
CVE-2023-2909 | High | 8.5 | 2023-05-31 | EZ Sync service fails to adequately handle user input, allowing an attacker to navigate beyond the intended directory structure and delete files. Affected prod… |
CVE-2026-3179 | High | 8.1 | 2026-02-25 | The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacke… |
CVE-2023-4475 | High | 7.5 | 2023-08-22 | An Arbitrary File Movement vulnerability was found in ASUSTOR Data Master (ADM) allows an attacker to exploit the file renaming feature to move files to uninte… |
CVE-2023-2509 | High | 7.1 | 2023-05-17 | A Cross-Site Scripting(XSS) vulnerability was found on ADM, LooksGood and SoundsGood Apps. An attacker can exploit this vulnerability to inject malicious scrip… |
CVE-2023-30770 | High | 7.1 | 2023-04-17 | A stack-based buffer overflow vulnerability was found in the ASUSTOR Data Master (ADM) due to the lack of data size validation. An attacker can exploit this vu… |
CVE-2022-37398 | High | 7.1 | 2022-08-05 | A stack-based buffer overflow vulnerability was found inside ADM when using WebDAV due to the lack of data size validation. An attacker can exploit this vulner… |
CVE-2026-3100 | Medium | 6.5 | 2026-02-25 | The FTP Backup on the ADM will not properly strictly enforce TLS certificate verification while connecting to an FTP server using FTPES/FTPS. An improper valid… |
CVE-2026-24933 | Medium | 5.9 | 2026-02-03 | The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulner… |
CVE-2026-24932 | Medium | 5.9 | 2026-02-03 | The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL certificate. Although the connection uses HTTPS, an improp… |
CVE-2025-13052 | Medium | 5.9 | 2025-12-12 | When the user set the Notification's sender to send emails to the SMTP server via msmtp, an improper validated TLS/SSL certificates allows an attacker who can… |
CVE-2026-24935 | Medium | 5.6 | 2026-02-03 | A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the signaling server. While subsequent access to device services r… |
CVE-2026-24934 | Low | 3.7 | 2026-02-03 | The DDNS function uses an insecure HTTP connection or fails to validate the SSL/TLS certificate when querying an external server for the device's WAN IP addres… |
CVE-2025-13053 | Low | 3.7 | 2025-12-12 | When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker able to intercept n… |