CVE-2026-24933
Unknown Unknown - Not Provided
Improper SSL Validation in ADM API Enables MitM Attack

Publication date: 2026-02-03

Last updated on: 2026-02-19

Assigner: ASUSTOR, Inc.

Description
The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to intercept the cleartext communication, potentially leading to the exposure of sensitive user information, including account emails, MD5 hashed passwords, and device serial numbers. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-14
NVD
CVE-2026-24933
EUVD
EUVD-2026-5284
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
asustor data_master From 4.1.0.rhu2 (inc) to 4.3.3.rof1 (inc)
asustor data_master From 5.0.0.ra82 (inc) to 5.1.2.re51 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs because the API communication component does not properly validate SSL/TLS certificates when making HTTPS requests. This flaw allows an unauthenticated remote attacker to perform a Man-in-the-Middle (MitM) attack, intercepting the communication in cleartext. As a result, sensitive user information such as account emails, MD5 hashed passwords, and device serial numbers can be exposed.

Impact Analysis

The vulnerability can lead to the exposure of sensitive user information by allowing an attacker to intercept communications between the client and server. This can result in unauthorized access to account emails, hashed passwords, and device serial numbers, potentially compromising user accounts and device security.

Compliance Impact

This vulnerability allows an unauthenticated remote attacker to perform a Man-in-the-Middle (MitM) attack by exploiting improper SSL/TLS certificate validation. As a result, sensitive user information such as account emails, MD5 hashed passwords, and device serial numbers can be exposed in cleartext during communication.

Exposure of sensitive personal data through this vulnerability could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information during transmission.

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24933. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart