CVE-2026-24936: Critical ASUSTOR Flaw (CVSS 9.5) Allows Remote System Takeover

A severe vulnerability has been discovered in ASUSTOR ADM (ASUSTOR Data Master), the operating system that powers ASUSTOR’s network-attached storage (NAS) devices. Tracked as CVE-2026-24936, this flaw carries a critical severity score of 9.5 (CVSS) and poses a grave threat to data integrity and system control.

The vulnerability resides within a specific CGI program that handles requests when an administrator attempts to join the NAS to an Active Directory (AD) domain. Due to improper input validation, an unauthenticated attacker can exploit this function remotely.

The core issue is an arbitrary file write vulnerability. When the specific vulnerable function is enabled, the system fails to properly sanitize input parameters.

“An improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system.” — ASUSTOR Security Advisory

This capability is catastrophic for a NAS device. By overwriting critical system files, an attacker can effectively seize control of the entire operating system, disable security features, or corrupt stored data.

“By exploiting this vulnerability, attackers can overwrite critical system files, leading to a complete system compromise.” — ASUSTOR Security Advisory

The vulnerability affects a wide range of ADM versions, spanning both the 4.x and 5.x branches:

• From ADM 4.1.0 through ADM 4.3.3.ROF1
• From ADM 5.0.0 through ADM 5.1.1.RCI1

ASUSTOR has released a patch to address this critical security gap. Users are urged to upgrade immediately to ADM 5.1.2.RE31 or a later version.

Given the severity of the flaw and the fact that NAS devices are often prime targets for ransomware groups looking to destroy backups, administrators should prioritize this update. Until the patch is applied, disabling AD domain joining features or restricting network access to the NAS management interface is highly recommended.

Related Posts:

• Asustor NAS devices were hit by Deadbolt ransomware
• Critical ASUSTOR Flaw (CVE-2025-13051) Allows Local DLL Hijacking for SYSTEM Privilege Escalation
• Critical Flaw (CVE-2025-8070) in ASUSTOR Backup & EZSync Allows Local SYSTEM Privilege Escalation
• iOS 26 Password App Gains Major Upgrade: View Full History of Saved Credentials
• LockBit 5.0 Resurfaces Stronger: New Variant Blinds Defenders by Disabling Windows ETW for Stealth Encryption

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.