A severe vulnerability affecting ASUSTOR Network Attached Storage (NAS) devices has been disclosed, potentially allowing unauthenticated attackers to seize full control of affected systems.
Tracked as CVE-2026-24936, this critical flaw carries a CVSS v4.0 base score of 9.5, highlighting the urgency for administrators to apply available updates immediately.
The vulnerability resides within the ASUSTOR Data Master (ADM) operating system, specifically targeting the process used for joining an Active Directory (AD) Domain.
Technical Analysis
The core issue is an improper input validation vulnerability located in a specific CGI program.
The flaw manifests when a specific function is enabled while the NAS is attempting to join an AD Domain.
Due to a failure to correctly validate input parameters, the system becomes susceptible to manipulation.
An unauthenticated remote attacker can exploit this weakness to bypass security controls and write arbitrary data to any file on the system.
By leveraging this arbitrary file write capability, threat actors can overwrite critical system files or configuration settings.
This chain of exploitation leads to a complete system compromise, granting the attacker root-level access to the NAS device and the sensitive data stored within.
| Property | Detail |
|---|---|
| CVE ID | CVE-2026-24936 |
| Severity | Critical |
| CVSS v4.0 Score | 9.5 |
| Vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
| Vulnerability Type | Improper Input Validation / Arbitrary File Write |
| Researcher | Wilson Lu (@93wilsonlu) / DEVCORE Internship |
Affected Versions and Remediation
The vulnerability impacts two major branches of the ADM software. While a fix is available for the newer branch, older versions currently remain exposed.
ASUSTOR has released a patch for the ADM 5.x series. The issue is resolved in ADM 5.1.2.RE31. Users running ADM 5.0.0 through 5.1.1.RCI1 must upgrade immediately to the fixed release.
For users on the ADM 4.x branch (versions 4.1.0 through 4.3.3.ROF1), the status is currently listed as “Ongoing.”
Administrators managing these versions should monitor ASUSTOR’s security advisories closely for an incoming patch and consider isolating these devices from the public internet or disabling AD Domain joining features if feasible until a fix is deployed.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.