CVE-2025-13052
Unknown Unknown - Not Provided
Improper TLS Validation in ADM SMTP Client Enables MITM Attack

Publication date: 2025-12-12

Last updated on: 2025-12-12

Assigner: ASUSTOR, Inc.

Description
When the user set the Notification's sender to send emails to the SMTP server via msmtp, an improper validated TLS/SSL certificates allows an attacker who can intercept network traffic between the SMTP client and server to execute a man-in-the-middle (MITM) attack, which may obtain the sensitive information of the SMTP. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RKD2 as well as from ADM 5.0.0 through ADM 5.1.0.RN42.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-12-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13052
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
asustor adm 5.1.0.rn42
asustor adm 4.3.3.rkd2
asustor adm 4.1.0
asustor adm 5.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows a man-in-the-middle (MITM) attacker to intercept sensitive SMTP information due to improper validation of TLS/SSL certificates. This exposure of sensitive information could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of sensitive data in transit. However, the provided resources do not explicitly discuss compliance impacts. [1]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the affected ADM versions (4.1.0 through 4.3.3.RKD2 and 5.0.0 through 5.1.0.RN42) for sending notifications via msmtp until a fixed release is available. Since the vulnerability arises from improper TLS/SSL certificate validation, you should ensure that network traffic between the SMTP client and server is protected from interception, for example by using network-level protections such as VPNs or secure network segments. Additionally, monitor for any suspicious network activity that could indicate a man-in-the-middle attack. No fixed patches are available at the time of the advisory. [1]

Executive Summary

This vulnerability occurs when the Notification's sender is configured to send emails to the SMTP server using msmtp, but the TLS/SSL certificates are improperly validated. This flaw allows an attacker who can intercept the network traffic between the SMTP client and server to perform a man-in-the-middle (MITM) attack, potentially capturing sensitive information transmitted via SMTP.

Impact Analysis

The vulnerability can lead to a man-in-the-middle attack where an attacker intercepts and obtains sensitive information sent between the SMTP client and server. This compromises the confidentiality of email communications and may expose sensitive data to unauthorized parties.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13052. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart