TLS
CVE-2026-24932
MEDIUM
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL certificate. Although the connection uses HTTPS, an improper validated TLS/SSL certificates allows a remote attacker can intercept the communication to perform a Man-in-the-Middle (MitM) attack, which may obtain the sensitive information of DDNS updating process, including the user's account email, MD5 hashed password, and device serial number.This issue affects ADM: from 4.1.0 through 4.3.3.ROF1, from 5.0.0 through 5.1.1.RCI1.
AnalysisAI
Improper TLS/SSL certificate validation in ADM's DDNS update function (versions 4.1.0-4.3.3.ROF1 and 5.0.0-5.1.1.RCI1) enables remote man-in-the-middle attacks to intercept HTTPS communications and extract sensitive data including user email, MD5 hashed passwords, and device serial numbers. An unauthenticated attacker on the network can exploit this weakness without user interaction to compromise DDNS update credentials. No patch is currently available for affected versions.
Technical ContextAI
Classified as CWE-295 (Improper Certificate Validation). Affects Data Master. The DDNS update function in ADM fails to properly validate the hostname of the DDNS server's TLS/SSL certificate. Although the connection uses HTTPS, an improper validated TLS/SSL certificates allows a remote attacker can intercept the communication to perform a Man-in-the-Middle (MitM) attack, which may obtain the sensitive information of DDNS updating process, including the user's account email, MD5 hashed password, and device serial number.This issue affects ADM: from 4.1.0 through 4.3.3.ROF1
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
MajorDoMo home automation platform is vulnerable to unauthenticated remote code execution through supply chain compromis
Unauthenticated backup download and RCE in Nginx UI before 2.3.3. EPSS 1.0%. PoC available.
FastCGI path splitting vulnerability in Caddy before 2.11.1 allows request smuggling or path confusion when proxying to
TLS error swallowing in Caddy web server before 2.11.1 allows bypassing client certificate authentication. Errors in Cli
Host header case sensitivity bypass in Caddy before 2.11.1. Virtual host routing can be bypassed by using alternate casi
Case sensitivity bypass in Caddy web server path matching before 2.11.1. HTTP path matchers can be bypassed using altern
Alist file manager has an improper certificate validation vulnerability allowing MITM attacks that could compromise file
Caddy versions 2.10.0 through 2.11.1 fail to strip client-supplied headers in the forward_auth copy_headers directive, e
FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, does not properly validate TLS ce
Caddy versions 2.7.5 through 2.11.1 contain a template injection vulnerability in the vars_regexp matcher that allows re
SumatraPDF versions 3.5.0 through 3.5.2 fail to validate TLS certificates during software updates and execute installers
EVerest is an EV charging software stack. In versions 2025.9.0 and below, an attacker can exhaust the operating system's
Same weakness CWE-295 – Improper Certificate Validation
View allShare
External POC / Exploit Code
Leaving vuln.today