Description
The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacker can craft filenames containing path traversal sequences, causing the client to write files outside the intended backup directory. A path traversal vulnerability may allow an attacker to overwrite arbitrary files on the system and potentially achieve privilege escalation or remote code execution.
Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.2.RE51.
Published: 2026-02-25
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A path traversal weakness in the FTP Backup feature of ASUSTOR ADM occurs because filenames from an FTP server are not properly sanitized when parsing directory listings. The flaw, CWE‑22, can allow a malicious or compromised FTP server to supply crafted file names that cause the ADM client to write files outside the intended backup directory. An attacker could overwrite arbitrary files on the system, potentially gaining elevated privileges or executing code remotely, depending on the overwritten files and system configuration.

Affected Systems

ASUSTOR ADM versions 4.1.0 through 4.3.3.ROF1 and 5.0.0 through 5.1.2.RE51 are vulnerable to the path traversal issue in the FTP Backup component.

Risk and Exploitability

The vulnerability has a CVSS score of 9.2, classifying it as critical, but the EPSS score is less than 1%, indicating that exploitation attempts are currently rare. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is a remote or MITM FTP server that sends malicious filenames; the attacker would need network access to the ADM's FTP service or the ability to MITM the connection. Successful exploitation would allow file overwrite, which could lead to privilege escalation or remote code execution if sensitive files are targeted.

Generated by OpenCVE AI on April 17, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest ASUSTOR firmware update that includes a fix for the FTP Backup path traversal issue.
  • If a recent firmware update is not available, disable the FTP Backup feature or restrict it to trusted local sources only.
  • Block or filter outbound FTP connections from the ADM to prevent malicious or unauthorized FTP servers from influencing the backup process.

Generated by OpenCVE AI on April 17, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Asustor data Master
CPEs cpe:2.3:o:asustor:data_master:*:*:*:*:*:*:*:*
Vendors & Products Asustor data Master
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Asustor
Asustor adm
Vendors & Products Asustor
Asustor adm

Wed, 25 Feb 2026 06:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ASUSTOR ADM FTP Backup on Linux, x86, ARM, 64 bit allows Path Traversal.This issue affects ADM: from 4.1.0 through 4.3.3.ROF1, from 5.0.0 through 5.1.2.RE51. The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacker can craft filenames containing path traversal sequences, causing the client to write files outside the intended backup directory. A path traversal vulnerability may allow an attacker to overwrite arbitrary files on the system and potentially achieve privilege escalation or remote code execution. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.2.RE51.

Wed, 25 Feb 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ASUSTOR ADM FTP Backup on Linux, x86, ARM, 64 bit allows Path Traversal.This issue affects ADM: from 4.1.0 through 4.3.3.ROF1, from 5.0.0 through 5.1.2.RE51.
Title A path traversal vulnerability was found in the FTP Backup on the ADM.
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Asustor Adm Data Master
cve-icon MITRE

Status: PUBLISHED

Assigner: ASUSTOR1

Published:

Updated: 2026-02-25T17:41:00.546Z

Reserved: 2026-02-25T03:47:42.339Z

Link: CVE-2026-3179

cve-icon Vulnrichment

Updated: 2026-02-25T17:02:56.416Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T06:16:27.597

Modified: 2026-02-26T16:32:25.233

Link: CVE-2026-3179

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:30:06Z

Weaknesses