Every CVE whose affected-product data names Asustor Data Master, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (37)
CVE-2026-6643 — CVSS 9.9 (critical): A stack-based buffer overflow vulnerability was found in the VPN Clients on the ADM. The issue stems from the use of unbounded sscanf() and…
CVE-2026-24936 — CVSS 9.8 (critical): When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific…
CVE-2018-12313 — CVSS 9.8 (critical): OS command injection in snmp.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands without authentication via the…
CVE-2026-6644 — CVSS 9.1 (critical): A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break…
CVE-2018-12318 — CVSS 8.8 (high): Information disclosure in the SNMP settings page in ASUSTOR ADM version 3.1.1 allows attackers to obtain the SNMP password in cleartext.
CVE-2023-2910 — CVSS 8.8 (high): Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Printer service functionality in…
CVE-2018-12307 — CVSS 8.8 (high): OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root via the "name" POST…
CVE-2018-12316 — CVSS 8.8 (high): OS Command Injection in upload.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands by modifying the filename POST…
CVE-2018-12317 — CVSS 8.8 (high): OS command injection in group.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root by modifying the "name"…
CVE-2018-12312 — CVSS 8.8 (high): OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root via the "secret_key" URL…
CVE-2023-3699 — CVSS 8.7 (high): An Improper Privilege Management vulnerability was found in ASUSTOR Data Master (ADM) allows an unprivileged local users to modify the…
CVE-2023-3697 — CVSS 8.5 (high): Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory…
CVE-2023-3698 — CVSS 8.5 (high): Printer service fails to adequately handle user input, allowing an remote unauthorized users to navigate beyond the intended directory…
CVE-2026-3179 — CVSS 8.1 (high): The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious…
CVE-2018-12309 — CVSS 7.5 (high): Directory Traversal in upload.cgi in ASUSTOR ADM version 3.1.1 allows attackers to upload files to arbitrary locations by modifying the…
CVE-2018-12314 — CVSS 7.5 (high): Directory Traversal in downloadwallpaper.cgi in ASUSTOR ADM version 3.1.1 allows attackers to download arbitrary files by manipulating the…
CVE-2018-12319 — CVSS 7.5 (high): Denial-of-service in the login page of ASUSTOR ADM 3.1.1 allows attackers to prevent users from signing in by placing malformed text in the…
CVE-2018-15694 — CVSS 7.5 (high): ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to upload files to arbitrary locations due to a…
CVE-2018-12306 — CVSS 7.5 (high): Directory Traversal in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to view arbitrary files by modifying the "file1" URL…
CVE-2023-4475 — CVSS 7.5 (high): An Arbitrary File Movement vulnerability was found in ASUSTOR Data Master (ADM) allows an attacker to exploit the file renaming feature to…
CVE-2018-15697 — CVSS 6.5 (medium): ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to read any file on a share by providing the full…
CVE-2018-12308 — CVSS 6.5 (medium): Encryption key disclosure in share.cgi in ASUSTOR ADM version 3.1.1 allows attackers to obtain the encryption key via the "encrypt_key" URL…
CVE-2018-12315 — CVSS 6.5 (medium): Missing verification of a password in ASUSTOR ADM version 3.1.1 allows attackers to change account passwords without entering the current…
CVE-2018-15695 — CVSS 6.5 (medium): ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to delete any file on the file system due to a…
CVE-2018-15698 — CVSS 6.5 (medium): ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to read any file on the file system when providing…
CVE-2026-3100 — CVSS 6.5 (medium): The FTP Backup on the ADM will not properly strictly enforce TLS certificate verification while connecting to an FTP server using…
CVE-2018-15699 — CVSS 6.1 (medium): ASUSTOR Data Master 3.1.5 and below makes an HTTP request for a configuration file that is vulnerable to XSS. A man in the middle can take…
CVE-2018-12305 — CVSS 6.1 (medium): Cross-site scripting in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to execute JavaScript by uploading SVG images with…
CVE-2026-24933 — CVSS 5.9 (medium): The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper…
CVE-2025-13052 — CVSS 5.9 (medium): When the user set the Notification's sender to send emails to the SMTP server via msmtp, an improper validated TLS/SSL certificates allows…
CVE-2026-24932 — CVSS 5.9 (medium): The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL certificate. Although the connection…
CVE-2026-24935 — CVSS 5.6 (medium): A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the signaling server. While subsequent access…
CVE-2018-12310 — CVSS 5.4 (medium): Cross-site scripting in the Login page in ASUSTOR ADM version 3.1.1 allows attackers to execute JavaScript via the System Announcement…
CVE-2018-12311 — CVSS 5.4 (medium): Cross-site scripting vulnerability in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to execute arbitrary JavaScript when a…
CVE-2018-15696 — CVSS 4.3 (medium): ASUSTOR Data Master 3.1.5 and below allows authenticated remote non-administrative users to enumerate all user accounts via user.cgi.
CVE-2026-24934 — CVSS 3.7 (low): The DDNS function uses an insecure HTTP connection or fails to validate the SSL/TLS certificate when querying an external server for the…
CVE-2025-13053 — CVSS 3.7 (low): When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker…