CVE-2026-24933
MEDIUMASUSTOR Data Master 4.1.0-4.3.3.ROF1 and 5.0.0-5.1.1.RCI1 - Improper Certificate Validation in API Communication
Title source: llmDescription
The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to intercept the cleartext communication, potentially leading to the exposure of sensitive user information, including account emails, MD5 hashed passwords, and device serial numbers. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.
References (1)
Core 1
Core References
Various Sources vendor-advisory
https://www.asustor.com/security/security_advisory_detail?id=50
Scores
CVSS v3
5.9
EPSS
0.0020
EPSS Percentile
10.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-295
Status
published
Products (1)
asustor/data_master
4.1.0.rhu2 - 4.3.3.rof1
Published
Feb 03, 2026
Tracked Since
Feb 18, 2026