Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

Unauthenticated arbitrary file write in ASUSTOR ADM AD domain-join CGI (CVE-2026-24936)

IdentifiersCVE-2026-24936CWE-20· Improper Input Validation

CVE-2026-24936 is an improper input parameter validation flaw in an ASUSTOR Data Master (ADM) CGI program involved in the workflow for joining an ASUSTOR NAS to an Active Directory (AD) domain. When a specific function is enabled during the AD domain-join operation, the CGI endpoint fails to properly validate/sanitize attacker-controlled input parameters, allowing an unauthenticated remote attacker to write arbitrary data to an arbitrary file path on the underlying system. This arbitrary file write can be used to overwrite critical system/configuration files, resulting in complete compromise of the NAS. Affected versions include ADM 4.1.0 through 4.3.3.ROF1 and ADM 5.0.0 through 5.1.1.RCI1.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Unauthenticated remote arbitrary file write with high confidentiality/integrity/availability impact. Successful exploitation can overwrite critical system files, disable or subvert security controls, corrupt/destroy data, enable data exfiltration, and lead to full system compromise of the NAS (reported CVSS 9.5).

Mitigation

If you can’t patch tonight, do this now.

Until patched (or where no patch is available), reduce exposure by restricting network access to the ADM management interface/affected CGI endpoint to trusted administrative networks only, and avoid/disable the AD domain-join workflow and the referenced specific function. Increase monitoring for suspicious crafted HTTP requests to ADM and for unexpected filesystem changes indicative of arbitrary file writes; be prepared to investigate for prior compromise.

Remediation

Patch, then assume compromise.

Apply vendor updates. Per the provided advisory content: for ADM 5.0/5.x, upgrade to ADM 5.1.2.RE31 or later. For ADM 4.1/4.2/4.3, the advisory content indicates no fixed version is available yet; follow ASUSTOR guidance and deploy compensating controls until a patch is released. Note: upgrading does not remediate any prior compromise; perform incident response as needed.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
AsustorAdmapplication
AsustorData Masteroperating_system
AsustorData Master (Adm)operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
security online infoNews
Feb 4, 2026
CVE-2026-24936: Critical ASUSTOR Flaw (CVSS 9.5) Allows Remote System Takeover

Critical unauthenticated remote arbitrary file write in an ASUSTOR ADM CGI endpoint used for Active Directory domain-join operations, enabling overwriting of system files and full device compromise.

Read more
security online infoNews
Feb 4, 2026
"IT Support" Imposters: ShinyHunters Vishing Rings Bypass MFA to Steal Data

Unknown (only referenced as a critical ASUSTOR vulnerability with CVSS 9.5 enabling remote system takeover; no additional technical details provided in the content).

Read more
cvefeed high severityNews
Feb 6, 2026
CVE-2026-24936 - An improper input validation vulnerability was found in ADM while joining a AD Domain.

An improper input validation flaw in an ASUSTOR ADM CGI component when a specific function is enabled during joining an AD Domain, allowing an unauthenticated remote attacker to write arbitrary data to any file on the system, potentially overwriting critical files and fully compromising the device.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-24936
NVD
nvd.nist.gov/vuln/detail/CVE-2026-24936
MITRE CWE · CWE-20
Improper Input Validation
Vendor Advisory
asustor.com/security/security_advisory_detail?id=51