Description
When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By exploiting this vulnerability, attackers can overwrite critical system files, leading to a complete system compromise.
Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.
Published: 2026-02-03
Score: 9.5 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file overwrite leading to system compromise
Action: Apply Fix
AI Analysis

Impact

The vulnerability stems from improper input validation in a CGI program that is triggered when a particular function is enabled during an AD Domain join operation in ADM. An attacker who can reach the ADM interface without authentication can supply crafted input, causing the CGI to write arbitrary data to any file on the underlying system. This allows overwriting critical system files, essentially granting full control over the NAS and leading to a complete system compromise. The weakness corresponds to CWE‑20: Improper Input Validation.

Affected Systems

Products affected are ASUSTOR Advanced Data Master (ADM) versions 4.1.0 through 4.3.3.ROF1 and 5.0.0 through 5.1.1.RCI1. These include the Data Master operating system shipped with ASUSTOR NAS devices and any installation that uses the vulnerable ADM versions listed.

Risk and Exploitability

The CVSS score of 9.5 reflects the high severity of the flaw. Although the EPSS score is below 1%, indicating a low current likelihood of exploitation, the vulnerability remains a critical risk because it can be abused remotely without authentication and the attacker does not need to perform any privilege escalation before the file overwrite occurs. The vulnerability is not listed in the CISA KEV catalog, but its potential for complete system compromise warrants immediate attention. The attack requires remote connectivity to the ADM management interface and activation of the vulnerable function during AD Domain join, after which the attacker can write to any file.

Generated by OpenCVE AI on April 18, 2026 at 00:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest firmware that incorporates the fix for the unauthenticated file overwrite vulnerability, ensuring the ADM component is updated to a version newer than 5.1.1.RCI1.
  • Restrict access to the ADM management interface by limiting it to trusted internal networks and enforcing strong authentication where possible.
  • If an upgrade cannot be performed immediately, disable the AD Domain join functionality in ADM or restrict the CGI that handles that operation, and enable verbose logging to detect any unauthorized file write attempts.

Generated by OpenCVE AI on April 18, 2026 at 00:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Asustor data Master
CPEs cpe:2.3:o:asustor:data_master:*:*:*:*:*:*:*:*
Vendors & Products Asustor data Master
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Asustor
Asustor adm
Vendors & Products Asustor
Asustor adm

Tue, 03 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Description When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By exploiting this vulnerability, attackers can overwrite critical system files, leading to a complete system compromise. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.
Title An improper input validation vulnerability was found in ADM while joining a AD Domain.
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 9.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Asustor Adm Data Master
cve-icon MITRE

Status: PUBLISHED

Assigner: ASUSTOR1

Published:

Updated: 2026-02-04T16:12:51.388Z

Reserved: 2026-01-28T08:40:24.462Z

Link: CVE-2026-24936

cve-icon Vulnrichment

Updated: 2026-02-04T16:12:46.572Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T04:15:56.357

Modified: 2026-02-19T17:39:07.473

Link: CVE-2026-24936

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:30:25Z

Weaknesses