CVE-2026-3179
Received
Received - Intake
Path Traversal in ASUSTOR ADM FTP Backup Allows Unauthorized Access
Publication date: 2026-02-25
Last updated on: 2026-02-26
Assigner: ASUSTOR, Inc.
Description
Description
The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacker can craft filenames containing path traversal sequences, causing the client to write files outside the intended backup directory. A path traversal vulnerability may allow an attacker to overwrite arbitrary files on the system and potentially achieve privilege escalation or remote code execution.
Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.2.RE51.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| asustor | data_master | From 4.1.0.rhu2 (inc) to 4.3.3.rof1 (inc) |
| asustor | data_master | From 5.0.0.ra82 (inc) to 5.1.2.reo1 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
