CVE-2025-13053
Unknown Unknown - Not Provided
TLS Certificate Verification Bypass in Asustor ADM Enables MITM Attack

Publication date: 2025-12-12

Last updated on: 2025-12-12

Assigner: ASUSTOR, Inc.

Description
When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker able to intercept network traffic between the client and server can perform a man-in-the-middle (MITM) attack, which may obtain the sensitive information of the UPS server configuation. This issue affects ADM: from 4.1.0 through 4.3.3.RKD2, from 5.0.0 through 5.1.0.RN42.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-12-13
EPSS Evaluated
2026-06-14
NVD
CVE-2025-13053
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
asustor adm 5.1.0.rn42
asustor adm 4.3.3.rkd2
asustor adm 4.1.0
asustor adm 5.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-311 The product does not encrypt sensitive or critical information before storage or transmission.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring network traffic between the NAS and the UPS server for unencrypted or improperly validated TLS connections. Since the issue involves non-enforced TLS certificate verification allowing man-in-the-middle attacks, you can use network analysis tools like Wireshark or tcpdump to capture and inspect the TLS handshake and verify if certificate validation is properly enforced. For example, you can use the command `tcpdump -i <interface> port <UPS communication port>` to capture traffic and then analyze it for signs of unencrypted or weak TLS usage. Additionally, checking the NAS UPS configuration settings for TLS certificate enforcement can help identify vulnerable setups. However, no specific detection commands are provided in the available resources. [1]

Executive Summary

This vulnerability occurs when a user configures the NAS to retrieve UPS status or control the UPS, but the TLS certificate verification is not properly enforced. This allows an attacker who can intercept the network traffic between the client and server to perform a man-in-the-middle (MITM) attack, potentially obtaining sensitive information related to the UPS server configuration.

Impact Analysis

The vulnerability can allow an attacker to intercept and access sensitive information about the UPS server configuration by performing a man-in-the-middle attack. This could lead to unauthorized access or manipulation of UPS status and control data, potentially compromising the security and reliability of the UPS management.

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

As of the advisory date, no fixed releases are available to address this vulnerability. Immediate mitigation steps include avoiding configuring the NAS to retrieve UPS status or control the UPS until a patch is released, minimizing network exposure of the ADM device, and monitoring network traffic for suspicious man-in-the-middle activity. Since the vulnerability involves non-enforced TLS certificate verification, ensuring that any TLS connections to the UPS server are secured and verified by other means may help reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13053. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart