CVE-2026-24935

EUVD-2026-5286

03.02.2026, 03:15

A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the signaling server. While subsequent access to device services requires additional authentication, a Man-in-the-Middle (MitM) attacker can intercept or redirect the NAT tunnel establishment. This could allow an attacker to disrupt service availability or facilitate further targeted attacks by acting as a proxy between the user and the device services.
Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.6 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Affected Products (NVD)

Vendor	Product	Version
asustor	data_master	4.1.0.rhu2 ≤ 𝑥 ≤ 4.3.3.rof1
asustor	data_master	5.0.0.ra82 ≤ 𝑥 < 5.1.2.re51

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-295 - Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate.

References

https://www.asustor.com/security/security_advisory_detail?id=50