Description
A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the signaling server. While subsequent access to device services requires additional authentication, a Man-in-the-Middle (MitM) attacker can intercept or redirect the NAT tunnel establishment. This could allow an attacker to disrupt service availability or facilitate further targeted attacks by acting as a proxy between the user and the device services.
Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.
Published: 2026-02-03
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Man‑in‑the‑Middle risk affecting NAT traversal and service availability
Action: Patch ASAP
AI Analysis

Impact

A third‑party NAT traversal module in ASUSTOR ADM devices fails to validate SSL/TLS certificates when connecting to the signaling server. An attacker who can position themselves between the device and the server can intercept, alter, or redirect the NAT tunnel establishment. The attacker cannot immediately reach device services, but by acting as a transparent proxy they can disrupt service availability or later launch more targeted attacks against the device’s internal services. This weakness is a classic certificate‑validation flaw that permits a MITM attack and carries the potential to compromise integrity and availability of the managed storage system.

Affected Systems

ASUSTOR ADM firmware versions from 4.1.0 through 4.3.3.ROF1 and from 5.0.0 through 5.1.1.RCI1 are impacted.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate risk. The EPSS score of less than 1% suggests that exploitation is currently considered unlikely, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote attacker able to insert themselves into the network path between the device and the official signaling server; this does not require local device compromise but does require control over the network or a compromised endpoint. Once positioned, the attacker could intercept the NAT traversal handshake, causing a denial of service or providing a foothold for further exploitation.

Generated by OpenCVE AI on April 18, 2026 at 00:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update that includes the certificate‑validation fix, such as ADM 4.3.3.ROF2 or newer and ADM 5.1.2.RCI2 or newer.
  • If a firmware update cannot be installed immediately, isolate the device from untrusted networks and limit outbound traffic to only the authoritative signaling server, blocking other external connections.
  • Monitor device logs and network traffic for anomalous NAT tunnel connections or unexpected proxies, and investigate any suspicious activity promptly.

Generated by OpenCVE AI on April 18, 2026 at 00:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Asustor data Master
CPEs cpe:2.3:o:asustor:data_master:*:*:*:*:*:*:*:*
Vendors & Products Asustor data Master
Metrics cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Asustor
Asustor adm
Vendors & Products Asustor
Asustor adm

Tue, 03 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Description A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the signaling server. While subsequent access to device services requires additional authentication, a Man-in-the-Middle (MitM) attacker can intercept or redirect the NAT tunnel establishment. This could allow an attacker to disrupt service availability or facilitate further targeted attacks by acting as a proxy between the user and the device services. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.
Title An improper certificate validation vulnerability was found in a third-party NAT traversal module.
Weaknesses CWE-295
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Asustor Adm Data Master
cve-icon MITRE

Status: PUBLISHED

Assigner: ASUSTOR1

Published:

Updated: 2026-02-03T15:30:54.564Z

Reserved: 2026-01-28T08:40:24.462Z

Link: CVE-2026-24935

cve-icon Vulnrichment

Updated: 2026-02-03T15:26:04.831Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T03:15:53.507

Modified: 2026-02-19T18:19:51.097

Link: CVE-2026-24935

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:30:25Z

Weaknesses