CVE-2026-3179

CRITICAL EPSS 38.5%

Published Feb 25, 20264mo ago · Modified Jun 17, 20261w ago

9.2 CVSS 4.0

Critical

Published Feb 25, 2026 4mo ago

Last Modified Jun 17, 2026 1w ago

Description

The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacker can craft filenames containing path traversal sequences, causing the client to write files outside the intended backup directory. A path traversal vulnerability may allow an attacker to overwrite arbitrary files on the system and potentially achieve privilege escalation or remote code execution. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.2.RE51.

CVSS Details

Base Score

9.2

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

38.5% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 2

Vendor	Product	Version	Range
asustor	data_master	*	≥4.1.0.rhu2 – ≤4.3.3.rof1
asustor	data_master	*	≥5.0.0.ra82 – <5.1.2.reo1

References 1

asustor.com https://www.asustor.com/security/security_advisory_detail?id=53

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.