Three Security Advisories from Asustor

Asustor, Inc. had published 3 security advisories concerning vulnerabilities in its ADM NAS OS, and GNU Inetutils.

Security advisory: AS-2026-001: ADM     
Date: 2026-02-05
Severity: Important
Status: Ongoing

Statement
Multiple improper certificates validation vulnerabilities have been reported to affect ADM:

• When updating the DDNS settings in ADM
• When sending HTTPS requests to the server
• When querying an external server for the device’s WAN IP address
• In a 3rd-party NAT traversal module

Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.

• The issues have been fixed on ADM 5.1.2.RE51.

Affected Products

Detail

• CVE-2026-24932
  • Severity: High
  • CVSS4 Base Score: 8.9
  • CVSS4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
  • The DDNS update process in ADM fails to properly validate the hostname of the DDNS server’s TLS/SSL certificate. Although the connection uses HTTPS, an improper validated TLS/SSL certificates allows a remote attacker can intercept the communication to perform a Man-in-the-Middle (MitM) attack, which may obtain the sensitive information of DDNS updating process, including the user’s account email, MD5 hashed password, and device serial number. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.
• CVE-2026-24933
  • Severity: High
  • CVSS4 Base Score: 8.9
  • CVSS4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
  • The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to intercept the cleartext communication, potentially leading to the exposure of sensitive user information, including account emails, MD5 hashed passwords, and device serial numbers. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.
• CVE-2026-24934
  • Severity: Medium
  • CVSS4 Base Score: 6.3
  • CVSS4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
  • The DDNS function uses an insecure HTTP connection or fails to validate the SSL/TLS certificate when querying an external server for the device’s WAN IP address. An unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to spoof the response, leading the device to update its DDNS record with an incorrect IP address. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.
• CVE-2026-24935
  • Severity: Medium
  • CVSS4 Base Score: 6.3
  • CVSS4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
  • A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the signaling server. While subsequent access to device services requires additional authentication, a Man-in-the-Middle (MitM) attacker can intercept or redirect the NAT tunnel establishment. This could allow an attacker to disrupt service availability or facilitate further targeted attacks by acting as a proxy between the user and the device services. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.

Reference

• CVE-2026-24932
• CVE-2026-24933
• CVE-2026-24934
• CVE-2026-24935

Acknowledgement: Nuke

Revision

Security advisory: AS-2026-002: ADM

Date: 2026-02-05
Severity: Important
Status: Ongoing

Statement
An improper input validation vulnerability was found in ADM while joining a AD Domain. When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By exploiting this vulnerability, attackers can overwrite critical system files, leading to a complete system compromise.

Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.

• The issues have been fixed on ADM 5.1.2.RE51.

Affected Products

Detail

• CVE-2026-24936
  • Severity: Critical
  • CVSS4 Base Score: 9.5
  • CVSS4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
  • When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By exploiting this vulnerability, attackers can overwrite critical system files, leading to a complete system compromise. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.

Reference

• CVE-2026-24936

Acknowledgement: Wilson Lu (@93wilsonlu), working with DEVCORE Internship Program

Revision

Security advisory: AS-2026-003: GNU Inetutils

Date: 2026-02-06
Severity: Not affected
Status: Resolved

Statement
A critical security vulnerability has been discovered in GNU Inetutils versions 1.9.3 to 2.7.

None of Asustor’s products are affected by CVE-2026-24061 as GNU Inetutils is not used in the company’s products.

Affected Products

Detail

• CVE-2026-24061
  • Severity: Critical
  • CVSS3.1 Base Score: 9.8
  • CVSS3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a “-f root” value for the USER environment variable.

Reference

• CVE-2026-24061
• GNU InetUtils Security Advisory: remote authentication by-pass in telnet
• UBuntu Security Advisory
• CVE-2026-24061 – GNU InetUtils telnetd Authentication Bypass Vulnerability

Revision