CVE-2026-24936
CRITICAL WAF: Medium
CVSS 9.8
Published: 2026-02-03
CWE-20
When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By exploiting this vulnerability, attackers can overwrite critical system files, leading to a complete system compromise. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.
WAF Coverage Analysis
Improper Input Validation
Medium WAF Coverage
OWASP: A03:2021 Injection
920xxx - Protocol Enforcement 941xxx - XSS / XXE 942xxx - SQL Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| asustor | data_master | 4.1.0.rhu2 - 4.3.3.rof1 |
| asustor | data_master | 5.0.0.ra82 - 5.1.2.re51 |
References
- www.asustor.com (Vendor Advisory)