CVE-2026-3100

The FTP Backup on the ADM will not properly strictly enforce TLS certificate verification while connecting to an FTP server using FTPES/FTPS. An improper validated TLS/SSL certificates allows a remote attacker can intercept network traffic to perform a Man-in-the-Middle MitM attack, which may...

PT-2026-21876

Name of the Vulnerable Software and Affected Versions ASUSTOR ADM versions 4.1.0 through 4.3.3.ROF1 ASUSTOR ADM versions 5.0.0 through 5.1.2.RE51 Description The FTP Backup feature does not properly validate TLS certificates when connecting to an FTP server using FTPES/FTPS. This improper...

CVE-2026-24935

A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the signaling server. While subsequent access to device services requires additional authentication, a Man-in-the-Middle MitM attacker can intercept or redirect the NAT tunnel establishment. This could...

EUVD-2026-5286

A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the signaling server. While subsequent access to device services requires additional authentication, a Man-in-the-Middle MitM attacker can intercept or redirect the NAT tunnel establishment. This could...

CVE-2026-24933 An improper certificate validation vulnerability was found in ADM while sending HTTPS requests to the server.

The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle MitM attack to intercept the cleartext communication,...

PT-2026-5764

The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL certificate. Although the connection uses HTTPS, an improper validated TLS/SSL certificates allows a remote attacker can intercept the communication to perform a Man-in-the-Middle MitM attack, whi...

PT-2026-5766

The DDNS function uses an insecure HTTP connection or fails to validate the SSL/TLS certificate when querying an external server for the device's WAN IP address. An unauthenticated remote attacker can perform a Man-in-the-Middle MitM attack to spoof the response, leading the device to update its...

CVE-2025-13053

When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker able to intercept network traffic between the client and server can perform a man-in-the-middle MITM attack, which may obtain the sensitive information of th...

EUVD-2025-202943

When the user set the Notification's sender to send emails to the SMTP server via msmtp, an improper validated TLS/SSL certificates allows an attacker who can intercept network traffic between the SMTP client and server to execute a man-in-the-middle MITM attack, which may obtain the sensitive...

EUVD-2025-21594

Malicious code in bioql PyPI...

EUVD-2025-21332

Malicious code in bioql PyPI...

CVE-2025-7699

An improper access control vulnerability was found in the EZ Sync Manager of ADM, which allows authenticated users to copy arbitrary files from the server file system into their own EZSync folder. The vulnerability is due to a lack of authorization checks on the file parameter of the HTTP request...

CVE-2025-7699 An improper access control vulnerability was found in the EZ Sync Manager of ADM

An improper access control vulnerability was found in the EZ Sync Manager of ADM, which allows authenticated users to copy arbitrary files from the server file system into their own EZSync folder. The vulnerability is due to a lack of authorization checks on the file parameter of the HTTP request...

CVE-2025-7618

CVE-2025-7618 describes a stored Cross-Site Scripting (XSS) vulnerability in the ADM File Explorer and Text Editor. Affected products and versions include: ADM 4.1.0–4.3.3.RH61 and ADM 5.0.0.RIN1 and earlier, and Text Editor 1.0.0.r112 and earlier. The vulnerability allows injected scripts to pot...

CVE-2025-7380

A stored Cross-Site Scripting XSS vulnerability exists in the Access Control of ADM, the issue allows an attacker to inject malicious scripts into the folder name field while creating a new shared folder. These scripts are not properly sanitized and will be executed when the folder name is...

PT-2023-25760 · Adm · Adm

Name of the Vulnerable Software and Affected Versions: ADM versions 4.0.6.RIS1 through 4.1.0 ADM versions 4.2.2.RI61 and below Description: The printer service fails to adequately handle user input, allowing remote unauthorized users to navigate beyond the intended directory structure and delete...

CVE-2023-2909 A Directory traversal vulnerability was found on EZ Sync service of ADM

EZ Sync service fails to adequately handle user input, allowing an attacker to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below...

ASUSTOR Data Master File Disclosure Vulnerability

ASUSTOR Data Master ADM is a dedicated operating system for ASUSTOR NAS storage devices from ASUSTOR. A file disclosure vulnerability exists in ASUSTOR ADM 3.1.5 and earlier versions. A remote attacker can exploit this vulnerability by sending a request to the downloadwallpaper.cgi file and...