We use cookies to help us improve our webpage. Please read our Cookie Policy .

ASUSTOR Product Security Advisory

AS-2026-002: ADM

2026-02-03

Severity

Important

Status

Ongoing

Statement

An improper input validation vulnerability was found in ADM while joining a AD Domain. When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By exploiting this vulnerability, attackers can overwrite critical system files, leading to a complete system compromise.
Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.

  • The issues have been fixed on ADM 5.1.2.RE31.

Affected Products

Product Severity Fixed Release Availability
ADM 5.0 Important Upgrade to ADM 5.1.2.RE31 or above.
ADM 4.3, ADM 4.2 and 4.1 Important Ongoing

Detail

  • CVE-2026-24936
    • Severity: Critical
    • CVSS4 Base Score: 9.5
    • CVSS4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
    • When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By exploiting this vulnerability, attackers can overwrite critical system files, leading to a complete system compromise. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.

Reference

Acknowledgement

Wilson Lu (@93wilsonlu), working with DEVCORE Internship Program


Revision

Revision Date Description
1 2026-01-26 Initial public release.
2 2026-02-03 CVE ID (CVE-2026-24936) is assigned for the issue.
3 2026-02-03 ADM 5.1.2.RE31 has been released for fixing the issue.