CVE-2026-24936
Unknown Unknown - Not Provided
Arbitrary File Write in ADM CGI Allows Remote System Compromise

Publication date: 2026-02-03

Last updated on: 2026-02-19

Assigner: ASUSTOR, Inc.

Description
When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By exploiting this vulnerability, attackers can overwrite critical system files, leading to a complete system compromise. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-14
NVD
CVE-2026-24936
EUVD
EUVD-2026-5316
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
asustor data_master From 4.1.0.rhu2 (inc) to 4.3.3.rof1 (inc)
asustor data_master From 5.0.0.ra82 (inc) to 5.1.2.re51 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

I don't know

Executive Summary

This vulnerability occurs in ASUSTOR Data Master (ADM) software when a specific function related to joining an Active Directory (AD) Domain is enabled. It involves improper validation of input parameters in a CGI program, which allows an unauthenticated remote attacker to write arbitrary data to any file on the system. This means an attacker can overwrite critical system files, potentially leading to complete system compromise. [1]

Impact Analysis

Exploiting this vulnerability can allow an attacker to overwrite critical system files on the affected system without authentication. This can lead to a complete system compromise, meaning the attacker could gain full control over the system, disrupt services, steal data, or cause other malicious activities. [1]

Mitigation Strategies

Users are strongly advised to upgrade ASUSTOR Data Master (ADM) software to version 5.1.2.RE31 or later, as this fixed release addresses the vulnerability. Disabling the specific function related to joining an Active Directory (AD) Domain, if possible, may also reduce risk until the upgrade is applied. [1]

Compliance Impact

This vulnerability allows an unauthenticated remote attacker to write arbitrary data to any file on the system, potentially leading to complete system compromise by overwriting critical system files.

Such a compromise can lead to unauthorized access, data breaches, and loss of data integrity, which negatively impacts compliance with common standards and regulations like GDPR and HIPAA that require protection of sensitive data and system integrity.

Therefore, if exploited, this vulnerability could result in violations of these regulations due to failure to adequately protect data and systems.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24936. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart