We use cookies to help us improve our webpage. Please read our Cookie Policy .

AS-2022-011: ADM







A vulnerability has been found that allows remote authenticated users to execute arbitrary code through the WebDAV protocol in susceptible versions of ASUSTOR Data Master (ADM). The issue has been resolved on ADM 3.5.9.RWM1, ADM 4.0.5.RWM1 and ADM 4.1.0.RKM1.

Affected Products

Product Severity Fixed Release Availability
ADM 4.1 Important Upgrade to 4.1.0.RKM1 or above.
ADM 4.0 Important Upgrade to 4.0.5.RWM1 or above.
ADM 3.5 Important Upgrade to 3.5.9.RWM1 or above.


ASUSTOR strongly recommends keeping your ASUSTOR NAS up to date as updates provide security fixes. Before updating ADM, administrators can disable WebDAV as a temporary mitigation to this specific vulnerability.


  • CVE-2022-37398
    • Severity: High
    • CVSS3 Base Score: 7.1
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
    • A stack-based buffer overflow vulnerability was found inside ADM when using WebDAV due to the lack of data size validation. An attacker can exploit this vulnerability to run arbitrary code. Affected ADM versions include: 3.5.9.RUE3 and below, 4.0.5.RVI1 and below as well as 4.1.0.RJD1 and below.


Nikita Abramov from Positive Technologies


Revision Date Description
1 2022-07-28 Initial public release.
2 2022-08-05 CVE ID (CVE-2022-37398) and CVE Record assigned for the issue.
3 2022-08-29 Release ADM 4.1.0.RKM1, ADM 4.0.5.RWM1 and ADM 3.5.9.RWM1 for fixing the issue.