Critical 9.2 Severity Path Traversal Flaw Compromises ASUSTOR FTP Backups

ASUSTOR has released an urgent security statement detailing multiple critical and high-severity vulnerabilities affecting its ASUSTOR Data Master (ADM) operating system.

The flaws specifically target the FTP Backup component, creating a scenario where sensitive authentication credentials and entire backup archives could be intercepted or manipulated by remote attackers.

The first major issue, tracked as CVE-2026-3100, involves a high-severity failure in how the system validates secure connections.

“The FTP Backup on the ADM will not properly strictly enforce TLS certificate verification while connecting to an FTP server using FTPES/FTPS,” the official advisory warns. According to the report, “An improper validated TLS/SSL certificates allows a remote attacker can intercept network traffic to perform a Man-in-the-Middle (MitM) attack, which may intercept, modify, or obtain sensitive information such as authentication credentials and backup data”.

While the certificate flaw is dangerous, ASUSTOR has classified a second vulnerability, CVE-2026-3179, as Critical with a CVSS score of 9.2.

This flaw centers on “improperly sanitized filenames received from the FTP server when parsing directory listings”.

By exploiting this “path traversal vulnerability,” a malicious server or a well-placed MitM attacker can craft deceptive filenames that trick the ADM system into writing files outside of the intended backup directory. In a worst-case scenario, this could allow an attacker to overwrite critical system files or plant malicious code deep within the NAS infrastructure.

The vulnerabilities impact a broad range of the ADM lifecycle, including:

• ADM 4.1.0 through ADM 4.3.3.ROF1
• ADM 5.0.0 through ADM 5.1.2.RE51

ASUSTOR has moved quickly to close these loopholes. “The issues have been fixed on ADM 5.1.2.REO1,” the company confirmed.

Administrators and home users alike are urged to update their NAS devices to ADM 5.1.2.REO1 or newer immediately. Because these vulnerabilities exploit the trust between your NAS and its backup destination, ensuring your system strictly enforces certificate validation is no longer optional—it is a critical necessity for data integrity.