AS-2026-004: FTP Backup

2026-02-25

Statement

Multiple vulnerabilities have been reported in FTP Backup to affect ADM:

• An improper certificate validation vulnerability was found in the FTP Backup on the ADM.
• A path traversal vulnerability was found in the FTP Backup on the ADM.

Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.2.RE51.

• The issues have been fixed on ADM 5.1.2.REO1.

Affected Products

Detail

• CVE-2026-3100
  • Severity: High
  • CVSS4 Base Score: 8.3
  • CVSS4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
  • The FTP Backup on the ADM will not properly strictly enforce TLS certificate verification while connecting to an FTP server using FTPES/FTPS. An improper validated TLS/SSL certificates allows a remote attacker can intercept network traffic to perform a Man-in-the-Middle (MitM) attack, which may intercept, modify, or obtain sensitive information such as authentication credentials and backup data. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.2.RE51.
• CVE-2026-3179
  • Severity: Critical
  • CVSS4 Base Score: 9.2
  • CVSS4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  • The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacker can craft filenames containing path traversal sequences, causing the client to write files outside the intended backup directory. A path traversal vulnerability may allow an attacker to overwrite arbitrary files on the system and potentially achieve privilege escalation or remote code execution. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.2.RE51.

Reference

• CVE-2026-3100
• CVE-2026-3179

Acknowledgement

Nuke

Revision