CVE-2025-13052
Improper TLS Validation in ADM SMTP Client Enables MITM Attack
Publication date: 2025-12-12
Last updated on: 2025-12-12
Assigner: ASUSTOR, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| asustor | adm | 5.1.0.rn42 |
| asustor | adm | 4.3.3.rkd2 |
| asustor | adm | 4.1.0 |
| asustor | adm | 5.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the affected ADM versions (4.1.0 through 4.3.3.RKD2 and 5.0.0 through 5.1.0.RN42) for sending notifications via msmtp until a fixed release is available. Since the vulnerability arises from improper TLS/SSL certificate validation, you should ensure that network traffic between the SMTP client and server is protected from interception, for example by using network-level protections such as VPNs or secure network segments. Additionally, monitor for any suspicious network activity that could indicate a man-in-the-middle attack. No fixed patches are available at the time of the advisory. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows a man-in-the-middle (MITM) attacker to intercept sensitive SMTP information due to improper validation of TLS/SSL certificates. This exposure of sensitive information could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of sensitive data in transit. However, the provided resources do not explicitly discuss compliance impacts. [1]
Can you explain this vulnerability to me?
This vulnerability occurs when the Notification's sender is configured to send emails to the SMTP server using msmtp, but the TLS/SSL certificates are improperly validated. This flaw allows an attacker who can intercept the network traffic between the SMTP client and server to perform a man-in-the-middle (MITM) attack, potentially capturing sensitive information transmitted via SMTP.
How can this vulnerability impact me? :
The vulnerability can lead to a man-in-the-middle attack where an attacker intercepts and obtains sensitive information sent between the SMTP client and server. This compromises the confidentiality of email communications and may expose sensitive data to unauthorized parties.