Other information and services of the government: www.belgium.be Centre for Cybersecurity Belgium
search

Warning: Critical file‑overwrite in ASUSTOR ADM. Unauthenticated Attackers Can Compromise The NAS, Patch Immediately!

Image
Decorative image
Published : 03/02/2026
  • Last update: 03/02/2026
  • Affected software: ASUSTOR Data Master (ADM) versions: 5.0, 4.3, 4.2, 4.1
  • Type: CWE-20 - Improper Input Validation
  • CVE/CVSS
    → CVE-2026-24936: CVSS 9.5 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)

Sources

ASUSTOR - <https://www.asustor.com/security/security_advisory_detail?id=51 >

Risks

ASUSTOR Data Master (ADM) is the operating system for ASUSTOR NAS devices, providing a web-based interface to manage storage, users, backups, and apps.

This vulnerability in ADM allows unauthenticated attackers to write arbitrary files when a specific function is enabled while joining an AD Domain from ADM.

The impact to confidentiality, integrity, and availability is high.

It’s especially dangerous because NAS devices often store sensitive data, credentials, and configuration files; exploitation could lead to immediate data loss or lateral movement in enterprise networks.

There is currently no evidence that this vulnerability has been exploited in the wild, but NAS devices have been targeted in multiple campaigns in the past.

Description

This weakness allows attackers to conduct the following:

  1. Delivery - The attacker sends a crafted HTTP request targeting the vulnerable ADM instance.
    2. Input validation bypass - ADM fails to properly validate the input, allowing data to be written to arbitrary locations on the filesystem.
    3. Execute / Post‑compromise - Arbitrary files can overwrite critical system or configuration files, enabling attackers to compromise the NAS fully.
    4. Post‑compromise impact - Attackers can exfiltrate locally stored files, manipulate NAS behaviour, delete or corrupt data, pivot into connected services, or use the compromised NAS as a foothold in the network.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

For affected products:

  • ADM 5.0: Upgrade to ADM 5.1.2.RE31 or later.
  • ADM 4.3, 4.2, and 4.1: No patch has been released yet; users should follow vendor guidance and restrict network access until an update is available.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

CVE.org - https://www.cve.org/CVERecord?id=CVE-2026-24936