CVE-2026-24936
Arbitrary File Write in ADM CGI Allows Remote System Compromise

Publication date: 2026-02-03

Last updated on: 2026-02-03

Assigner: ASUSTOR, Inc.

Description
When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By exploiting this vulnerability, attackers can overwrite critical system files, leading to a complete system compromise. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Affected Vendors & Products
Vendor Product Version
asustor adm From 4.1.0 (inc) to 4.3.3.ROF1 (inc)
asustor adm From 5.0.0 (inc) to 5.1.1.RCI1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in ASUSTOR Data Master (ADM) software when a specific function related to joining an Active Directory (AD) Domain is enabled. It involves improper validation of input parameters in a CGI program, which allows an unauthenticated remote attacker to write arbitrary data to any file on the system. This means an attacker can overwrite critical system files, potentially leading to complete system compromise. [1]


How can this vulnerability impact me? :

Exploiting this vulnerability can allow an attacker to overwrite critical system files on the affected system without authentication. This can lead to a complete system compromise, meaning the attacker could gain full control over the system, disrupt services, steal data, or cause other malicious activities. [1]


What immediate steps should I take to mitigate this vulnerability?

Users are strongly advised to upgrade ASUSTOR Data Master (ADM) software to version 5.1.2.RE31 or later, as this fixed release addresses the vulnerability. Disabling the specific function related to joining an Active Directory (AD) Domain, if possible, may also reduce risk until the upgrade is applied. [1]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows an unauthenticated remote attacker to write arbitrary data to any file on the system, potentially leading to complete system compromise by overwriting critical system files.

Such a compromise can lead to unauthorized access, data breaches, and loss of data integrity, which negatively impacts compliance with common standards and regulations like GDPR and HIPAA that require protection of sensitive data and system integrity.

Therefore, if exploited, this vulnerability could result in violations of these regulations due to failure to adequately protect data and systems.

Source: [1]

How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart
Meta Information
CVE Publication Date:
2026-02-03
CVE Last Modified Date:
2026-02-03
Report Generation Date:
2026-02-10
AI Powered Q&A Generation:
2026-02-03
EPSS Last Evaluated Date:
2026-02-09
NVD Report Link: