CVE-2026-24935: ADM NAT Traversal DoS Vulnerability

CVE-2026-24935 Overview

A third-party NAT traversal module in Asustor ADM (ASUSTOR Data Master) fails to properly validate SSL/TLS certificates when establishing connections to the signaling server. This improper certificate validation vulnerability (CWE-295) allows Man-in-the-Middle (MitM) attackers to intercept or redirect NAT tunnel establishment, potentially disrupting service availability or facilitating further targeted attacks by acting as a proxy between users and device services.

Critical Impact
While subsequent access to device services requires additional authentication, attackers positioned in the network path can intercept, redirect, or disrupt NAT tunnel connections, potentially compromising the confidentiality and integrity of communications between users and their NAS devices.

Affected Products

ADM 4.1.0 through ADM 4.3.3.ROF1
ADM 5.0.0 through ADM 5.1.1.RCI1
Asustor NAS devices running affected ADM versions

Discovery Timeline

2026-02-03 - CVE-2026-24935 published to NVD
2026-02-03 - Last updated in NVD database

Technical Details for CVE-2026-24935

Vulnerability Analysis

This vulnerability stems from improper certificate validation (CWE-295) within a third-party NAT traversal module used by Asustor ADM. The module is responsible for establishing secure connections to a signaling server that facilitates NAT traversal, allowing remote users to access their NAS devices through firewalls and NAT boundaries.

The flaw allows the NAT traversal module to accept invalid, expired, or fraudulent SSL/TLS certificates without proper verification. This creates an opportunity for attackers to present their own certificates and intercept the communication channel between the ADM device and the signaling server.

While the vulnerability does not directly expose device credentials due to additional authentication layers protecting device services, it enables attackers to:

Disrupt the NAT tunnel establishment process, causing denial of service
Act as a proxy between users and their NAS devices
Potentially gather reconnaissance information about the target environment
Facilitate further targeted attacks against the device or its users

Root Cause

The root cause of this vulnerability is the failure to implement proper SSL/TLS certificate validation in the NAT traversal module. Specifically, the module does not verify:

Certificate chain validity and trust anchors
Certificate expiration dates
Subject/hostname matching against the connected server
Certificate revocation status

This implementation oversight allows the module to establish connections with servers presenting invalid or self-signed certificates, bypassing the security guarantees that TLS is designed to provide.

Attack Vector

The attack requires the adversary to be positioned in the network path between the vulnerable ADM device and the signaling server, typically through:

Network-level positioning: The attacker must be able to intercept traffic between the NAS device and the signaling server, achievable through ARP spoofing on local networks, DNS hijacking, BGP hijacking, or compromised network infrastructure.
Certificate interception: Once positioned, the attacker presents their own certificate to the ADM device. Due to the lack of proper validation, the device accepts this fraudulent certificate and establishes a connection with the attacker.
Proxy establishment: The attacker then acts as a proxy, forwarding traffic between the device and the legitimate signaling server while having visibility into or control over the NAT tunnel establishment process.

The network-based attack vector with no required privileges or user interaction makes this vulnerability exploitable in various network environments, though the need for network positioning provides some natural mitigation.

Detection Methods for CVE-2026-24935

Indicators of Compromise

Unexpected certificate warnings or SSL/TLS errors in network monitoring logs related to NAT traversal connections
Anomalous network traffic patterns between ADM devices and unfamiliar IP addresses attempting to mimic signaling server communications
DNS resolution anomalies where signaling server domains resolve to unexpected IP addresses
Increased latency or connection failures in NAT traversal functionality that may indicate MitM interception

Detection Strategies

Implement network-level SSL/TLS inspection to identify certificate mismatches or untrusted certificates in ADM device communications
Deploy intrusion detection systems (IDS) with rules to detect ARP spoofing, DNS hijacking, and other MitM attack prerequisites
Monitor for certificate pinning failures or certificate validation errors in device logs
Use network flow analysis to identify unusual connection patterns to signaling server infrastructure

Monitoring Recommendations

Enable detailed logging on network security appliances monitoring traffic to and from ADM devices
Configure alerts for SSL/TLS certificate anomalies in enterprise security monitoring platforms
Implement regular network topology audits to identify potential MitM attack positions
Monitor ADM device connectivity status for unexpected disconnections or service disruptions

How to Mitigate CVE-2026-24935

Immediate Actions Required

Update all Asustor ADM installations to the latest patched version as recommended in the security advisory
Review network architecture to minimize exposure of ADM devices to untrusted network segments
Implement network segmentation to isolate NAS devices from potentially compromised network zones
Enable available security features on network infrastructure to prevent ARP spoofing and other MitM attack vectors

Patch Information

Asustor has released security updates to address this vulnerability. Administrators should consult Asustor Security Advisory #50 for specific patch versions and update instructions.

For ADM 4.x series: Update to a version newer than ADM 4.3.3.ROF1
For ADM 5.x series: Update to a version newer than ADM 5.1.1.RCI1

Workarounds

If immediate patching is not possible, consider disabling NAT traversal functionality and using alternative remote access methods such as VPN
Implement strict network access controls limiting which systems can communicate with the ADM signaling server
Deploy network-level certificate validation through proxy appliances that can enforce proper SSL/TLS certificate checking
Use dedicated VLAN segmentation to isolate NAS devices and limit potential MitM attack surfaces

bash

# Network-level mitigation example: Restrict ADM device outbound connections
# Configure firewall rules to only allow connections to known legitimate signaling servers
# Consult Asustor documentation for specific server addresses

# Example iptables rule structure (adapt to your environment)
iptables -A OUTPUT -p tcp --dport 443 -d <legitimate_signaling_server_ip> -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j LOG --log-prefix "ADM_OUTBOUND_BLOCKED: "

CVE-2026-24935 Overview

Critical Impact
While subsequent access to device services requires additional authentication, attackers positioned in the network path can intercept, redirect, or disrupt NAT tunnel connections, potentially compromising the confidentiality and integrity of communications between users and their NAS devices.

Affected Products

ADM 4.1.0 through ADM 4.3.3.ROF1
ADM 5.0.0 through ADM 5.1.1.RCI1
Asustor NAS devices running affected ADM versions

Discovery Timeline

2026-02-03 - CVE-2026-24935 published to NVD
2026-02-03 - Last updated in NVD database

Technical Details for CVE-2026-24935

Vulnerability Analysis

While the vulnerability does not directly expose device credentials due to additional authentication layers protecting device services, it enables attackers to:

Disrupt the NAT tunnel establishment process, causing denial of service
Act as a proxy between users and their NAS devices
Potentially gather reconnaissance information about the target environment
Facilitate further targeted attacks against the device or its users

Root Cause

The root cause of this vulnerability is the failure to implement proper SSL/TLS certificate validation in the NAT traversal module. Specifically, the module does not verify:

Certificate chain validity and trust anchors
Certificate expiration dates
Subject/hostname matching against the connected server
Certificate revocation status

Attack Vector

The attack requires the adversary to be positioned in the network path between the vulnerable ADM device and the signaling server, typically through:

Network-level positioning: The attacker must be able to intercept traffic between the NAS device and the signaling server, achievable through ARP spoofing on local networks, DNS hijacking, BGP hijacking, or compromised network infrastructure.
Certificate interception: Once positioned, the attacker presents their own certificate to the ADM device. Due to the lack of proper validation, the device accepts this fraudulent certificate and establishes a connection with the attacker.
Proxy establishment: The attacker then acts as a proxy, forwarding traffic between the device and the legitimate signaling server while having visibility into or control over the NAT tunnel establishment process.

Detection Methods for CVE-2026-24935

Indicators of Compromise

Unexpected certificate warnings or SSL/TLS errors in network monitoring logs related to NAT traversal connections
Anomalous network traffic patterns between ADM devices and unfamiliar IP addresses attempting to mimic signaling server communications
DNS resolution anomalies where signaling server domains resolve to unexpected IP addresses
Increased latency or connection failures in NAT traversal functionality that may indicate MitM interception

Detection Strategies

Implement network-level SSL/TLS inspection to identify certificate mismatches or untrusted certificates in ADM device communications
Deploy intrusion detection systems (IDS) with rules to detect ARP spoofing, DNS hijacking, and other MitM attack prerequisites
Monitor for certificate pinning failures or certificate validation errors in device logs
Use network flow analysis to identify unusual connection patterns to signaling server infrastructure

Monitoring Recommendations

Enable detailed logging on network security appliances monitoring traffic to and from ADM devices
Configure alerts for SSL/TLS certificate anomalies in enterprise security monitoring platforms
Implement regular network topology audits to identify potential MitM attack positions
Monitor ADM device connectivity status for unexpected disconnections or service disruptions

How to Mitigate CVE-2026-24935

Immediate Actions Required

Update all Asustor ADM installations to the latest patched version as recommended in the security advisory
Review network architecture to minimize exposure of ADM devices to untrusted network segments
Implement network segmentation to isolate NAS devices from potentially compromised network zones
Enable available security features on network infrastructure to prevent ARP spoofing and other MitM attack vectors

Patch Information

Asustor has released security updates to address this vulnerability. Administrators should consult Asustor Security Advisory #50 for specific patch versions and update instructions.

For ADM 4.x series: Update to a version newer than ADM 4.3.3.ROF1
For ADM 5.x series: Update to a version newer than ADM 5.1.1.RCI1

Workarounds

If immediate patching is not possible, consider disabling NAT traversal functionality and using alternative remote access methods such as VPN
Implement strict network access controls limiting which systems can communicate with the ADM signaling server
Deploy network-level certificate validation through proxy appliances that can enforce proper SSL/TLS certificate checking
Use dedicated VLAN segmentation to isolate NAS devices and limit potential MitM attack surfaces

bash

# Network-level mitigation example: Restrict ADM device outbound connections
# Configure firewall rules to only allow connections to known legitimate signaling servers
# Consult Asustor documentation for specific server addresses

# Example iptables rule structure (adapt to your environment)
iptables -A OUTPUT -p tcp --dport 443 -d <legitimate_signaling_server_ip> -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j LOG --log-prefix "ADM_OUTBOUND_BLOCKED: "

CVE-2026-24935: ADM NAT Traversal DoS Vulnerability

CVE-2026-24935 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-24935

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-24935

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-24935

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-24935: ADM NAT Traversal DoS Vulnerability

CVE-2026-24935 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-24935

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-24935

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-24935

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform