Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.2
Malicious Files Can Be Written Outside Intended Backup Directory
CVE-2026-3179
Summary
The FTP backup feature on some ADM versions does not properly check file names, allowing an attacker to write files to unintended locations on the system. This could lead to data loss or unauthorized changes to system files, potentially allowing an attacker to take control of the system. Affected ADM versions should be updated to the latest patch to prevent this.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| asustor | data_master | > 4.1.0.rhu2 , <= 4.3.3.rof1 | – |
| asustor | data_master | > 5.0.0.ra82 , <= 5.1.2.reo1 | – |
Original title
The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacker can craft filenames containing path ...
Original description
The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacker can craft filenames containing path traversal sequences, causing the client to write files outside the intended backup directory. A path traversal vulnerability may allow an attacker to overwrite arbitrary files on the system and potentially achieve privilege escalation or remote code execution.
Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.2.RE51.
Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.2.RE51.
nvd CVSS3.1
8.1
nvd CVSS4.0
9.2
Vulnerability type
CWE-22
Path Traversal
- https://www.asustor.com/security/security_advisory_detail?id=53 Vendor Advisory
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026