Description
The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to intercept the cleartext communication, potentially leading to the exposure of sensitive user information, including account emails, MD5 hashed passwords, and device serial numbers.


Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.
Published: 2026-02-03
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Man‑in‑the‑Middle via improper SSL/TLS certificate validation
Action: Immediate Patch
AI Analysis

Impact

The ADM API communication component ignores SSL/TLS certificate validation when establishing HTTPS connections to the server. Consequently, an unauthenticated remote attacker can mount a Man‑in‑The‑Middle attack and intercept clear‑text data sent over HTTPS, potentially exposing account e‑mail addresses, MD5‑hashed passwords, and device serial numbers.

Affected Systems

ASUSTOR ADM software versions 4.1.0 through 4.3.3.ROF1 and 5.0.0 through 5.1.1.RCI1 are affected. Devices running any of these releases are susceptible until the flaw is patched or mitigated.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.9 (High). The EPSS indicates a probability of exploitation below 1 %, and it is not listed in the CISA KEV catalog. Inferred: an attacker would need to supply a forged or otherwise modified SSL/TLS certificate to the device during its outbound HTTPS transaction; the device then accepts it without verification. This can be staged from any external network location, with no authentication required. Because the flaw allows complete interception of application traffic, it enables data exfiltration and credential theft.

Generated by OpenCVE AI on April 18, 2026 at 00:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ADM to the latest version that fixes the certificate validation flaw (consult the vendor advisory for the exact release).
  • Enforce network‑level controls to restrict outbound HTTPS traffic from the ADM device so it can contact only the internal administrative server or other trusted hosts; this limits the opportunity for a forged certificate to be accepted until a patch is applied.
  • As a temporary precaution, replace the ADM’s default certificate store with a minimal CA bundle that excludes self‑signed certificates, forcing the component to reject any untrusted certificates during HTTPS requests.

Generated by OpenCVE AI on April 18, 2026 at 00:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Asustor data Master
CPEs cpe:2.3:o:asustor:data_master:*:*:*:*:*:*:*:*
Vendors & Products Asustor data Master
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Asustor
Asustor adm
Vendors & Products Asustor
Asustor adm

Tue, 03 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Description The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to intercept the cleartext communication, potentially leading to the exposure of sensitive user information, including account emails, MD5 hashed passwords, and device serial numbers. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.
Title An improper certificate validation vulnerability was found in ADM while sending HTTPS requests to the server.
Weaknesses CWE-295
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Asustor Adm Data Master
cve-icon MITRE

Status: PUBLISHED

Assigner: ASUSTOR1

Published:

Updated: 2026-02-03T15:31:09.436Z

Reserved: 2026-01-28T08:40:24.461Z

Link: CVE-2026-24933

cve-icon Vulnrichment

Updated: 2026-02-03T15:26:08.184Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T03:15:53.240

Modified: 2026-02-19T18:17:38.983

Link: CVE-2026-24933

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:30:25Z

Weaknesses