CVE-2026-24936 PUBLISHED

An improper input validation vulnerability was found in ADM while joining a AD Domain.

Assigner: ASUSTOR1
Reserved: 28.01.2026 Published: 03.02.2026 Updated: 03.02.2026

When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By exploiting this vulnerability, attackers can overwrite critical system files, leading to a complete system compromise. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 9.5

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	Present	Availability	High	Availability	High
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	ASUSTOR
Product	ADM
Versions	Default: unaffected affected from 4.1.0 to 4.3.3.ROF1 (incl.) affected from 5.0.0 to 5.1.1.RCI1 (incl.)

Credits

Wilson Lu (@93wilsonlu), working with DEVCORE Internship Program finder

References

https://www.asustor.com/security/security_advisory_detail?id=51

Problem Types

CWE-20 Improper Input Validation CWE

Impacts

CAPEC-153 Input Data Manipulation