Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A stack-based buffer overflow vulnerability was found in the VPN Clients on the ADM. The issue stems from the use of unbounded sscanf() and passing user-controlled data directly to printf(). Due to the lack of PIE and Stack Canary protections, an authenticated remote attacker can exploit these to execute arbitrary code as the web server user. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.
AnalysisAI
Remote code execution in ASUSTOR ADM (4.1.0-4.3.3.RR42 and 5.0.0-5.1.2.REO1) allows authenticated high-privilege attackers to execute arbitrary code via stack-based buffer overflow in VPN client components. The vulnerability combines unbounded sscanf() calls with format string weaknesses (printf with user-controlled data), exploitable due to absent PIE and stack canary protections. EPSS exploitation probability is low (0.23%, 46th percentile) with no public exploit code identified at time of analysis, suggesting limited real-world targeting despite high CVSS score.
Technical ContextAI
This vulnerability affects ASUSTOR Data Master (ADM), the Linux-based operating system for ASUSTOR NAS devices, specifically within VPN client functionality. The root cause is CWE-121 (stack-based buffer overflow) arising from unsafe string handling: unbounded sscanf() reads user input without length validation, while printf() directly processes attacker-controlled format strings. The binary lacks Position Independent Executable (PIE) compilation and stack canaries-exploit mitigation techniques standard in modern toolchains. Without PIE, attackers can reliably predict memory addresses for return-oriented programming (ROP) gadgets. Without stack canaries, buffer overflows can directly overwrite return addresses without detection. The CPE identifier (cpe:2.3:a:asustor_inc.:adm) confirms this affects the ADM platform across two major version branches (4.x and 5.x), indicating the vulnerable code persisted through significant product iterations.
RemediationAI
Apply ASUSTOR security patch per advisory https://www.asustor.com/security/security_advisory_detail?id=54, which should provide updated ADM firmware versions beyond 4.3.3.RR42 (for 4.x branch) and 5.1.2.REO1 (for 5.x branch)-consult the advisory for exact patched release numbers as they are not specified in available CVE data. Until patching, implement compensating controls: disable VPN client functionality in ADM if not operationally required (eliminates attack surface but removes VPN capability), restrict ADM administrative interface access to trusted management networks only via firewall rules (reduces attacker positioning opportunities but does not prevent insider threats), enforce multi-factor authentication for all ADM administrative accounts (increases credential compromise difficulty but adds operational overhead), and audit administrative login activity for anomalous access patterns (detection-focused, does not prevent exploitation). Note that disabling VPN clients may impact backup or remote access workflows-assess operational dependencies before implementing. No workaround fully mitigates the vulnerability; patching is the definitive solution.
The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerability in the portal/
EZ Sync service fails to adequately handle user input, allowing an attacker to navigate beyond the intended directory st
A stack-based buffer overflow vulnerability was found in the ASUSTOR Data Master (ADM) due to the lack of data size vali
Remote code execution in ASUSTOR ADM (ASUSTOR Data Master) operating system versions 4.1.0-4.3.3.RR42 and 5.0.0-5.1.2.RE
A stack-based buffer overflow vulnerability was found inside ADM when using WebDAV due to the lack of data size validati
A Cross-Site Scripting(XSS) vulnerability was found on ADM, LooksGood and SoundsGood Apps. Rated medium severity (CVSS 6
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23786
GHSA-46vm-f48w-xhvv