Asustor: Seven Security Advisories on Vulnerabilities
Concerning EZ Sync Manager, ADM and Text Editor, ADM NAS OS, Sudo, DataSync Center, and Docker Engine
This is a Press Release edited by StorageNewsletter.com on July 18, 2025 at 2:00 pmAsustor, Inc. had published 7 security advisories concerning its ADM NAS OS and Apps for its NAS.
Severity: Important
Status: Ongoing
Statement
An improper access control vulnerability was found in the EZ Sync Manager of ADM, which allows authenticated users to copy arbitrary files from the server file system into their own EZSync folder. The vulnerability is due to a lack of authorization checks on the file parameter of the HTTP request. Attackers can exploit this flaw to access files outside their authorized scope, provided the file has readable permissions for other users on the underlying OS. This can lead to unauthorized exposure of sensitive data.
Affected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier.
Affected Products
|
Product |
Severity |
Fixed Release Availability |
|---|---|---|
|
ADM 5.0 |
Important |
Ongoing. |
|
ADM 4.3, ADM 4.2 and 4.1 |
Important |
Ongoing. |
Detail
- CVE-2025-7699
- Severity: High
- CVSS4 Base Score: 7.1
- CVSS4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
- An improper access control vulnerability was found in the EZ Sync Manager of ADM, which allows authenticated users to copy arbitrary files from the server file system into their own EZSync folder. The vulnerability is due to a lack of authorization checks on the file parameter of the HTTP request. Attackers can exploit this flaw to access files outside their authorized scope, provided the file has readable permissions for other users on the underlying OS. This can lead to unauthorized exposure of sensitive data. Affected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier.
Acknowledgement: Engin Aydoğan
Revision
|
Revision |
Date |
Description |
|---|---|---|
|
1 |
2025-07-16 |
Initial public release. |
|
2 |
2025-07-16 |
CVE ID (CVE-2025-7699) is assigned for the issue. |
AS-2025-006: ADM and Text Editor
Severity: Moderate
Status: Ongoing
Statement
A stored Cross-Site Scripting (XSS) vulnerability vulnerability was found in the File Explorer and Text Editor of ADM. An attacker could exploit this vulnerability to inject malicious scripts into the applications, which may then access cookies or other sensitive information retained by the browser and used with the affected applications.
Affected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier, and Text Editor 1.0.0.r112 and earlier.
Affected Products
|
Product |
Severity |
Fixed Release Availability |
|---|---|---|
|
ADM 5.0 |
Moderate |
Ongoing. |
|
ADM 4.3, ADM 4.2 and 4.1 |
Moderate |
Ongoing. |
Detail
- CVE-2025-7618
- Severity: Medium
- CVSS4 Base Score: 4.8
- CVSS4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
- A stored Cross-Site Scripting (XSS) vulnerability vulnerability was found in the File Explorer and Text Editor of ADM. An attacker could exploit this vulnerability to inject malicious scripts into the applications, which may then access cookies or other sensitive information retained by the browser and used with the affected applications. Affected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier, and Text Editor 1.0.0.r112 and earlier.
Acknowledgement: Engin Aydoğan
Revision
|
Revision |
Date |
Description |
|---|---|---|
|
1 |
2025-07-14 |
Initial public release. |
|
2 |
2025-07-14 |
CVE ID (CVE-2025-7618) is assigned for the issue. |
Severity: Important
Status: Ongoing
Statement
A stored Cross-Site Scripting (XSS) vulnerability exists in the Access Control of ADM, the issue allows an attacker to inject malicious scripts into the folder name field while creating a new shared folder. These scripts are not properly sanitized and will be executed when the folder name is subsequently displayed in the user interface. This allows attackers to execute arbitrary JavaScript in the context of another user’s session, potentially accessing session cookies or other sensitive data.
Affected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier.
Affected Products
|
Product |
Severity |
Fixed Release Availability |
|---|---|---|
|
ADM 5.0 |
Important |
Ongoing. |
|
ADM 4.3, ADM 4.2 and 4.1 |
Important |
Ongoing. |
Detail
- CVE-2025-7380
- Severity: Medium
- CVSS4 Base Score: 4.8
- CVSS4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
- A stored Cross-Site Scripting (XSS) vulnerability exists in the Access Control of ADM, the issue allows an attacker to inject malicious scripts into the folder name field while creating a new shared folder. These scripts are not properly sanitized and will be executed when the folder name is subsequently displayed in the user interface. This allows attackers to execute arbitrary JavaScript in the context of another user’s session, potentially accessing session cookies or other sensitive data. Affected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier.
Acknowledgement: Engin Aydoğan
Revision
|
Revision |
Date |
Description |
|---|---|---|
|
1 |
2025-07-14 |
Initial public release. |
|
2 |
2025-07-14 |
CVE ID (CVE-2025-7380) is assigned for the issue. |
Severity: Important
Status: Ongoing
Statement
The Sudo team announced multiple vulnerabilities that have been fixed in the latest release of Sudo.
CVE-2025-32463 and CVE-2025-32462 affected Asustor products with from ADM 4.1 to ADM 5.0. Updates with Sudo 1.9.17p1 will be released as soon as possible.
Affected Products
|
Product |
Severity |
Fixed Release Availability |
|---|---|---|
|
ADM 5.0 |
Important |
Ongoing. |
|
ADM 4.1, 4.2 and 4.3 |
Important |
Ongoing. |
Detail
- CVE-2025-32463
- Severity: Critical
- Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the –chroot option.
- CVE-2025-32462
- Severity: Low
- Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.
Reference
Revision
|
Revision |
Date |
Description |
|---|---|---|
|
1 |
2025-07-11 |
Initial public release. |
Severity: Important
Status: Resolved
Statement
A security bypass vulnerability allows exploitation via Reverse Tabnabbing, a type of phishing attack where attackers can manipulate the content of the original tab, leading to credential theft and other security risks. This issue affects DataSync Center: from 1.1.0 before 1.1.0.r207, and from 1.2.0 before 1.2.0.r206.
- The issue has been fixed on DataSync Center 1.1.0.r208 for ADM 4.x.
- The issue has been fixed on DataSync Center 1.2.0.r207 for ADM 5.0 and above.
Affected Products
|
Product |
Severity |
Fixed Release Availability |
|---|---|---|
|
DataSync Center on ADM 5.0 |
Important |
Upgrade DataSync Center to 1.2.0.r207 or above. |
|
DataSync Center on ADM 4.x |
Important |
Upgrade DataSync Center to 1.1.0.r208 or above. |
Detail
- CVE-2025-7379
- Severity: Medium
- CVSS4 Base Score: 5.2
- CVSS4 Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H
- A security bypass vulnerability allows exploitation via Reverse Tabnabbing, a type of phishing attack where attackers can manipulate the content of the original tab, leading to credential theft and other security risks. This issue affects DataSync Center: from 1.1.0 before 1.1.0.r207, and from 1.2.0 before 1.2.0.r206.
Revision
|
Revision |
Date |
Description |
|---|---|---|
|
1 |
2025-07-09 |
Initial public release. |
|
2 |
2025-07-09 |
CVE ID (CVE-2025-7379) is assigned for the issue. |
|
3 |
2025-07-11 |
Release DataSync Center 1.1.0.r208 for ADM 4.x to fix the issue. |
|
4 |
2025-07-11 |
Release DataSync Center 1.2.0.r207 for ADM 5.0 to fix the issue. |
Severity: Important
Status: Resolved
Statement
An improper Input Validation vulnerability allows injecting arbitrary values of the NAS configuration file in ASUSTOR ADM. This could potentially lead to system misconfiguration and break the format of the configuation file, causing the NAS to exhibit unexpected behavior. Affected products and versions include: 4.1.0 and below as well as ADM 4.3.1.R5A1 and below.
-
The issue has been fixed on ADM 4.3.1.R6C1.
Affected Products
|
Product |
Severity |
Fixed Release Availability |
|---|---|---|
|
ADM 4.3, ADM 4.2 and 4.1 |
Important |
Upgrade to ADM 4.3.1.R6C1 or above. |
Detail
- CVE-2025-7378
- Severity: Medium
- CVSS4 Base Score: 6
- CVSS4 Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/R:U/U:Amber
- An improper Input Validation vulnerability allows injecting arbitrary values of the NAS configuration file in ASUSTOR ADM. This could potentially lead to system misconfiguration and break the format of the configuation file, causing the NAS to exhibit unexpected behavior.This issue affects ADM: from 4.1 before 4.3.1.R5A1.
Revision
|
Revision |
Date |
Description |
|---|---|---|
|
1 |
2025-07-09 |
Initial public release. |
|
2 |
2025-07-09 |
CVE ID (CVE-2025-7378) is assigned for the issue. |
|
3 |
2025-07-11 |
ADM ADM 4.3.1.R6C1 has been released for fixing the issue. |
Severity: Moderate
Status: Resolved
Statement
Certain versions of Docker Engine have a security vulnerability about Go JOSE, and the issues have been fixed in the latest release of Docker Engine 28.0.1.
CVE-2025-27144 will affect ASUSTOR products with ADM 4.3 onward which the Docker Engine 27.1.1 is installed. Updates with new Docker Engine version will be released as soon as possible.
- Docker Engine 28.1.1.r52 for ADM 5.0 had been released to App Central to resolve the issues.
- Docker Engine 28.1.1.r1 for ADM 4.1, 4.2 and 4.3 had been released to App Central to resolve the issues.
Affected Products
|
Product |
Severity |
Fixed Release Availability |
|---|---|---|
|
ADM 4.3, 4.2 and 4.1 |
Moderate |
Update Docker Engine to 28.1.1.r1 for fixing the issues on ADM 4.1, 4.2 and 4.3. |
|
ADM 5.0 |
Moderate |
Update Docker Engine to 28.1.1.r52 for fixing the issues on ADM 5.0 and above. |
Detail
- CVE-2025-27144
- Severity: Medium
- Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, “.”) to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.
Reference
Revision
|
Revision |
Date |
Description |
|---|---|---|
|
1 |
2025-05-02 |
Initial public release. |
|
2 |
2025-05-20 |
Update Docker Engine to 28.1.1.r52 for fixing the issues on ADM 5.0 and above. |
|
3 |
2025-07-03 |
Update Docker Engine to 28.1.1.r1 for fixing the issues on ADM 4.1, 4.2 and 4.3. |
Subscribe to our free daily newsletter
