CVE-2026-3179
HIGHASUSTOR Data Master 4.1.0-4.3.3.ROF1 & 5.0.0-5.1.2.RE51 - Path Traversal & Arbitrary File Write via FTP Backup
Title source: llmDescription
The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacker can craft filenames containing path traversal sequences, causing the client to write files outside the intended backup directory. A path traversal vulnerability may allow an attacker to overwrite arbitrary files on the system and potentially achieve privilege escalation or remote code execution. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.2.RE51.
References (1)
Core 1
Core References
Various Sources vendor-advisory
https://www.asustor.com/security/security_advisory_detail?id=53
Scores
CVSS v3
8.1
EPSS
0.0049
EPSS Percentile
38.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-22
Status
published
Products (1)
asustor/data_master
4.1.0.rhu2 - 4.3.3.rof1
Published
Feb 25, 2026
Tracked Since
Feb 25, 2026