Description
The FTP Backup on the ADM will not properly strictly enforce TLS certificate verification while connecting to an FTP server using FTPES/FTPS. An improper validated TLS/SSL certificates allows a remote attacker can intercept network traffic to perform a Man-in-the-Middle (MitM) attack, which may intercept, modify, or obtain sensitive information such as authentication credentials and backup data.
Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.2.RE51.
Published: 2026-02-25
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Man‑in‑the‑Middle via bypassed TLS certificate validation
Action: Immediate Update
AI Analysis

Impact

An improper validation of TLS/SSL certificates in the FTP Backup feature of the ADM allows an attacker to perform a Man‑in‑the‑Middle attack while the system is backing up to an FTPES/FTPS server. The flaw permits interception, alteration, or retrieval of sensitive data such as authentication credentials and backup contents without the user’s knowledge. This weakness corresponds to CWE‑295, which focuses on lack of proper authentication of certificates, leading to potential data compromise.

Affected Systems

The issue affects devices running ASUSTOR ADM firmware versions from 4.1.0 through 4.3.3.ROF1 and 5.0.0 through 5.1.2.RE51.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity; the EPSS score of less than 1% suggests a very low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. An attacker only needs the ability to establish an FTPES/FTPS connection to the ADM; no local privileges or additional credentials are required. Given the high severity, the potential impact on confidentiality and integrity of backup data is significant if the flaw is exploited.

Generated by OpenCVE AI on April 17, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ADM firmware to a version that includes the certificate validation fix, as detailed in the ASUSTOR security advisory.
  • Disable FTP backup to external servers that do not support strict TLS certificate verification or configure the backup destination to use a trusted, signed certificate.
  • Monitor network traffic for suspicious FTP connections and set up firewall rules to block untrusted external FTP servers from connecting to the ADM appliance.

Generated by OpenCVE AI on April 17, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Asustor data Master
CPEs cpe:2.3:o:asustor:data_master:*:*:*:*:*:*:*:*
Vendors & Products Asustor data Master
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Asustor
Asustor adm
Vendors & Products Asustor
Asustor adm

Wed, 25 Feb 2026 06:45:00 +0000

Type Values Removed Values Added
Description Improper Certificate Validation vulnerability in ASUSTOR ADM FTP Backup on Linux, x86, ARM, 64 bit allows Sniffing Attacks.This issue affects ADM: from 4.1.0 through 4.3.3.ROF1, from 5.0.0 through 5.1.2.RE51. The FTP Backup on the ADM will not properly strictly enforce TLS certificate verification while connecting to an FTP server using FTPES/FTPS. An improper validated TLS/SSL certificates allows a remote attacker can intercept network traffic to perform a Man-in-the-Middle (MitM) attack, which may intercept, modify, or obtain sensitive information such as authentication credentials and backup data. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.2.RE51.

Wed, 25 Feb 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Certificate Validation vulnerability in ASUSTOR ADM FTP Backup on Linux, x86, ARM, 64 bit allows Sniffing Attacks.This issue affects ADM: from 4.1.0 through 4.3.3.ROF1, from 5.0.0 through 5.1.2.RE51.
Title An improper certificate validation vulnerability was found in the FTP Backup on the ADM.
Weaknesses CWE-295
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Asustor Adm Data Master
cve-icon MITRE

Status: PUBLISHED

Assigner: ASUSTOR1

Published:

Updated: 2026-02-27T14:26:39.407Z

Reserved: 2026-02-24T08:35:18.143Z

Link: CVE-2026-3100

cve-icon Vulnrichment

Updated: 2026-02-25T17:48:38.140Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T06:16:26.180

Modified: 2026-02-26T16:33:43.460

Link: CVE-2026-3100

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:30:06Z

Weaknesses