CVE-2026-24936

N/A Unknown

📋 TL;DR

An unauthenticated remote attacker can write arbitrary data to any file on Asustor ADM systems when a specific function is enabled during AD Domain joining. This allows complete system compromise by overwriting critical files. Affects Asustor ADM versions 4.1.0 through 4.3.3.ROF1 and 5.0.0 through 5.1.1.RCI1.

💻 Affected Systems

Products:
  • Asustor ADM (Asustor Data Master)
Versions: ADM 4.1.0 through 4.3.3.ROF1 and ADM 5.0.0 through 5.1.1.RCI1
Operating Systems: Asustor ADM Linux-based OS
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires the specific AD Domain joining function to be enabled, but this is a standard administrative feature.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with root access, data destruction, or persistent backdoor installation.

🟠

Likely Case

System compromise leading to data theft, ransomware deployment, or lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation allows attackers to compromise systems directly from the internet.
🏢 Internal Only: HIGH - Even internally, unauthenticated access means any compromised internal system can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW - Unauthenticated remote file write with arbitrary data.

The vulnerability is in a specific CGI program with improper input validation, making exploitation straightforward once the attack vector is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ADM 4.3.4.RIY1 and ADM 5.1.2.RCJ1 or later

Vendor Advisory: https://www.asustor.com/security/security_advisory_detail?id=51

Restart Required: Yes

Instructions:

1. Log into ADM web interface. 2. Go to Settings > ADM Update. 3. Check for updates and install the latest version. 4. Reboot the system after update completion.

🔧 Temporary Workarounds

Disable AD Domain Joining Function

all

Temporarily disable the specific function that triggers the vulnerability when joining an AD Domain.

Navigate to ADM Settings > Domain/LDAP and disable AD Domain joining if not required

Network Access Control

all

Restrict network access to ADM web interface and management ports.

Use firewall rules to limit access to trusted IP addresses only

🧯 If You Can't Patch

  • Isolate affected systems from internet and untrusted networks using firewall rules.
  • Implement strict network segmentation to limit lateral movement if exploitation occurs.

🔍 How to Verify

Check if Vulnerable:

Check ADM version in web interface: Settings > ADM Update > Current Version. If version is between 4.1.0-4.3.3.ROF1 or 5.0.0-5.1.1.RCI1, system is vulnerable.

Check Version:

ssh admin@nas_ip 'cat /usr/builtin/etc/version' or check via ADM web interface

Verify Fix Applied:

Verify ADM version is 4.3.4.RIY1 or later for ADM 4.x, or 5.1.2.RCJ1 or later for ADM 5.x.

📡 Detection & Monitoring

Log Indicators:

  • Unusual CGI program access logs
  • Unexpected file write operations in system logs
  • Failed or successful AD Domain join attempts from unknown sources

Network Indicators:

  • Unusual HTTP requests to CGI endpoints from untrusted IPs
  • Unexpected outbound connections from ADM system

SIEM Query:

source="ADM_logs" AND (cgi_program_access OR file_write_anomaly OR ad_domain_join_attempt)

📊 Metadata

CVE ID: CVE-2026-24936
CVSS v3 Score: N/A (Unknown)
CWE: CWE-20
Published: February 3, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This