CVE-2026-24932 An improper certificate validation vulnerability was found in ADM while updating the DDNS settings.

The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL certificate. Although the connection uses HTTPS, an improper validated TLS/SSL certificates allows a remote attacker can intercept the communication to perform a Man-in-the-Middle MitM attack, whi...

EUVD-2022-40031

Malicious code in bioql PyPI...

EUVD-2023-33992

Malicious code in bioql PyPI...

CVE-2025-7699 An improper access control vulnerability was found in the EZ Sync Manager of ADM

An improper access control vulnerability was found in the EZ Sync Manager of ADM, which allows authenticated users to copy arbitrary files from the server file system into their own EZSync folder. The vulnerability is due to a lack of authorization checks on the file parameter of the HTTP request...

PT-2025-29718 · Adm · Adm

Name of the Vulnerable Software and Affected Versions: ADM versions 4.1.0 through 4.3.3.RH61 ADM version 5.0.0.RIN1 and earlier Description: An improper access control vulnerability exists in the EZ Sync Manager of ADM. Authenticated users can copy arbitrary files from the server file system into...

CVE-2025-7380 A stored Cross-Site Scripting (XSS) vulnerability exists in the Access Control of ADM

A stored Cross-Site Scripting XSS vulnerability exists in the Access Control of ADM, the issue allows an attacker to inject malicious scripts into the folder name field while creating a new shared folder. These scripts are not properly sanitized and will be executed when the folder name is...

ASUSTOR ADM 安全漏洞

ASUSTOR ADM is a specialized operating system for all ASUSTOR NAS devices from ASUS, China. A security vulnerability exists in ASUSTOR ADM that stems from a stored cross-site scripting attack that could result in access to sensitive information...

CVE-2023-2509 A Cross-Site Scripting(XSS) vulnerability was found on ADM

A Cross-Site ScriptingXSS vulnerability was found on ADM, LooksGood and SoundsGood Apps. An attacker can exploit this vulnerability to inject malicious scripts into the target applications to access any cookies or sensitive information retained by the browser and used with that application...

VulnCheck KEV: CVE-2018-11511

The tree list functionality in the photo gallery application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection vulnerability that affects the 'albumid' or 'scope' parameter via a photo-gallery/api/album/treelists/ URI...

CVE-2018-12308

Encryption key disclosure in share.cgi in ASUSTOR ADM version 3.1.1 allows attackers to obtain the encryption key via the "encryptkey" URL parameter...