CVE-2026-24933 – This vulnerability allows unauthenticated remot... (How to Fix)

Q: What is the severity of CVE-2026-24933?

CVE-2026-24933 has a CVSS score of N/A (Unknown). This vulnerability allows unauthenticated remote attackers to perform Man-in-the-Middle attacks by intercepting HTTPS communications due to improper SSL/TLS certificate validation. It affects ASUSTOR ADM systems running versions 4.1.0 through 4.3.3.ROF1 and 5.0.0 through 5.1.1.RCI1, potentially exposing sensitive user information including emails, hashed passwords, and device serial numbers.

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to perform Man-in-the-Middle attacks by intercepting HTTPS communications due to improper SSL/TLS certificate validation. It affects ASUSTOR ADM systems running versions 4.1.0 through 4.3.3.ROF1 and 5.0.0 through 5.1.1.RCI1, potentially exposing sensitive user information including emails, hashed passwords, and device serial numbers.

💻 Affected Systems

Products:

ASUSTOR ADM (ASUSTOR Data Master)

Versions: ADM 4.1.0 through 4.3.3.ROF1 and ADM 5.0.0 through 5.1.1.RCI1

Operating Systems: ASUSTOR ADM (Linux-based NAS OS)

Default Config Vulnerable: ⚠️ Yes

Notes: All systems running affected ADM versions are vulnerable by default as this is a core API communication component issue.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete interception of all API communications, exposure of all transmitted sensitive data including account credentials and device information, potential account takeover and lateral movement within the network.

🟠

Likely Case

Interception of specific API communications when attackers position themselves between client and server, exposure of user emails, hashed passwords, and device serial numbers transmitted during vulnerable sessions.

🟢

If Mitigated

Limited exposure if network segmentation prevents attacker positioning, but still vulnerable to internal threats or compromised network segments.

🌐 Internet-Facing: HIGH - Any internet-facing ASUSTOR ADM systems with vulnerable versions are exposed to remote MitM attacks from anywhere on the internet.

🏢 Internal Only: MEDIUM - Internal systems are vulnerable to insider threats or compromised internal devices that can perform MitM attacks on local network traffic.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires the attacker to position themselves as a Man-in-the-Middle, which can be achieved through ARP spoofing, DNS poisoning, or compromising network infrastructure. No authentication is required to exploit the vulnerability once MitM position is established.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ADM 4.3.4.RJ62 and ADM 5.1.2.RH72 or later

Vendor Advisory: https://www.asustor.com/security/security_advisory_detail?id=50

Restart Required: Yes

Instructions:

1. Log into ADM web interface. 2. Navigate to Settings > ADM Update. 3. Check for updates. 4. Install ADM 4.3.4.RJ62 or ADM 5.1.2.RH72 or later. 5. Restart the NAS when prompted.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate vulnerable ADM systems from untrusted networks and limit API communication to trusted internal networks only.

VPN Tunnel for Remote Access

all

Require all remote API access to go through a VPN with proper certificate validation instead of direct HTTPS connections.

🧯 If You Can't Patch

Isolate affected systems in a dedicated VLAN with strict network access controls
Implement certificate pinning at the application layer if possible, or use VPN tunnels for all API communications

🔍 How to Verify

Check if Vulnerable:

Check ADM version in web interface: Settings > ADM Update > Current Version. If version is between 4.1.0-4.3.3.ROF1 or 5.0.0-5.1.1.RCI1, system is vulnerable.

Check Version:

ssh admin@nas_ip 'cat /etc/nas.conf | grep version' or check via ADM web interface

Verify Fix Applied:

Verify ADM version is 4.3.4.RJ62 or later for ADM 4.x, or 5.1.2.RH72 or later for ADM 5.x. Test API connections with invalid certificates - they should be rejected.

📡 Detection & Monitoring

Log Indicators:

Failed SSL/TLS handshakes that should succeed
Unexpected certificate warnings in application logs
API connections from unexpected network locations

Network Indicators:

Unusual ARP traffic suggesting spoofing
DNS queries for ADM systems from unexpected sources
SSL/TLS connections with self-signed or invalid certificates to ADM API endpoints

SIEM Query:

source="*asustor*" AND ("certificate" OR "SSL" OR "TLS") AND ("warning" OR "error" OR "invalid")

📊 Metadata

CVE ID: CVE-2026-24933

CVSS v3 Score: N/A (Unknown)

CWE: CWE-295

Published: February 3, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://www.asustor.com/security/security_advisory_detail?id=50