We use cookies to help us improve our webpage. Please read our Cookie Policy .

ASUSTOR Product Security Advisory

AS-2025-010: ADM

2025-12-12

Severity

Important

Status

Ongoing

Statement

Multiple vulnerabilities have been reported to affect ADM:

  • An improper certificates validation vulnerability was found in the Notification settings of ADM.
  • A missing encryption of sensitive data vulnerability was found in the UPS settings of ADM.

Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RKD2 as well as from ADM 5.0.0 through ADM 5.1.0.RN42.


Affected Products

Product Severity Fixed Release Availability
ADM 5.0 Important Ongoing
ADM 4.3, ADM 4.2 and 4.1 Important Ongoing

Detail

  • CVE-2025-13052
    • Severity: High
    • CVSS4 Base Score: 7.0
    • CVSS4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:L
    • When the user set the Notification's sender to send emails to the SMTP server via msmtp, an improper validated TLS/SSL certificates allows an attacker who can intercept network traffic between the SMTP client and server to execute a man-in-the-middle (MITM) attack, which may obtain the sensitive information of the SMTP. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RKD2 as well as from ADM 5.0.0 through ADM 5.1.0.RN42.
  • CVE-2025-13053
    • Severity: High
    • CVSS4 Base Score: 7.0
    • CVSS4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:L
    • When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker able to intercept network traffic between the client and server can perform a man-in-the-middle (MITM) attack, which may obtain the sensitive information of the UPS server configuation. This issue affects ADM: from 4.1.0 through 4.3.3.RKD2, from 5.0.0 through 5.1.0.RN42.

Reference

Acknowledgement

Nuke


Revision

Revision Date Description
1 2025-12-08 Initial public release.
2 2025-12-12 CVE ID (CVE-2025-13052, CVE-2025-13053) is assigned for the issue.