CVE-2026-24935
SSL/TLS Validation Bypass in ADM NAT Module Enables MitM Attack
Publication date: 2026-02-03
Last updated on: 2026-02-19
Assigner: ASUSTOR, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| asustor | data_master | From 4.1.0.rhu2 (inc) to 4.3.3.rof1 (inc) |
| asustor | data_master | From 5.0.0.ra82 (inc) to 5.1.2.re51 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know
Can you explain this vulnerability to me?
This vulnerability involves a third-party NAT traversal module that does not properly validate SSL/TLS certificates when connecting to the signaling server. As a result, a Man-in-the-Middle (MitM) attacker can intercept or redirect the NAT tunnel establishment process. Although further authentication is required to access device services, the attacker could disrupt service availability or act as a proxy to facilitate additional targeted attacks between the user and the device services.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to intercept or redirect the NAT tunnel establishment, potentially disrupting service availability. Additionally, by acting as a proxy between the user and device services, the attacker could facilitate further targeted attacks, compromising the security and reliability of the affected device services.