CVE-2026-3179

The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacker can craft filenames containing path traversal sequences, causing the client to write files outside the intended backup directory. A path traversal vulnerability may allow an attacker to overwrite arbitrary files on the system and potentially achieve privilege escalation or remote code execution. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.2.RE51.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.asustor.com/security/security_advisory_detail?id=53	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:asustor:data_master::::::::
	cpe:2.3:o:asustor:data_master::::::::

History

No history.

Information

Published : 2026-02-25 06:16

Updated : 2026-02-26 16:32

NVD link : CVE-2026-3179

Mitre link : CVE-2026-3179

CVE.ORG link : CVE-2026-3179

JSON object : View

Products Affected

asustor

data_master

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-3179", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}], "cvssMetricV40": [{"type": "Secondary", "source": "security@asustor.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-25T06:16:27.597", "references": [{"url": "https://www.asustor.com/security/security_advisory_detail?id=53", "tags": ["Vendor Advisory"], "source": "security@asustor.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@asustor.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacker can craft filenames containing path traversal sequences, causing the client to write files outside the intended backup directory. A path traversal vulnerability may allow an attacker to overwrite arbitrary files on the system and potentially achieve privilege escalation or remote code execution.\nAffected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.2.RE51."}, {"lang": "es", "value": "La copia de seguridad FTP en el ADM no sanea correctamente los nombres de archivo recibidos del servidor FTP al analizar listados de directorios. Un servidor malicioso o atacante MitM puede crear nombres de archivo que contengan secuencias de salto de ruta, haciendo que el cliente escriba archivos fuera del directorio de copia de seguridad previsto. Una vulnerabilidad de salto de ruta puede permitir a un atacante sobrescribir archivos arbitrarios en el sistema y potencialmente lograr escalada de privilegios o ejecuci\u00f3n remota de c\u00f3digo.\nLos productos y versiones afectados incluyen: desde ADM 4.1.0 hasta ADM 4.3.3.ROF1, as\u00ed como desde ADM 5.0.0 hasta ADM 5.1.2.RE51."}], "lastModified": "2026-02-26T16:32:25.233", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:asustor:data_master:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "662E4EA5-0C53-4669-947E-705E5E076B10", "versionEndIncluding": "4.3.3.rof1", "versionStartIncluding": "4.1.0.rhu2"}, {"criteria": "cpe:2.3:o:asustor:data_master:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "47B926F1-1D8F-4105-A533-45E0B4178C59", "versionEndExcluding": "5.1.2.reo1", "versionStartIncluding": "5.0.0.ra82"}], "operator": "OR"}]}], "sourceIdentifier": "security@asustor.com"}