Cyber Resilience

CVE-2026-24936

Critical

Published: 03 February 2026

Published
03 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score v4 9.5 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0078 51.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-24936 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Asustor Data Master. Its CVSS base score is 9.5 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

CVE-2026-24936 is an improper input parameters validation vulnerability (CWE-20) in a specific CGI program within ASUSTOR Data Master (ADM). The issue arises when a specific function is enabled while joining an Active Directory (AD) Domain. It affects ADM versions from 4.1.0 through 4.3.3.ROF1, as well as from 5.0.0 through 5.1.1.RCI1. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.

An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to write arbitrary data to any file on the system, including overwriting critical system files, which can lead to complete system compromise.

For details on mitigation, patches, or workarounds, refer to the ASUSTOR security advisory at https://www.asustor.com/security/security_advisory_detail?id=51.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By…

more

exploiting this vulnerability, attackers can overwrite critical system files, leading to a complete system compromise. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unauthenticated arbitrary file write in public-facing CGI directly enables T1190 (Exploit Public-Facing Application) for initial access and T1505.003 (Web Shell) via placement of executable server-side code leading to full compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6643Same product: Asustor Data Master
CVE-2026-6644Same product: Asustor Data Master
CVE-2026-3179Same product: Asustor Data Master
CVE-2025-48913Shared CWE-20
CVE-2025-67484Shared CWE-20
CVE-2026-4755Shared CWE-20
CVE-2026-33588Shared CWE-20
CVE-2026-23489Shared CWE-20
CVE-2025-54385Shared CWE-20
CVE-2026-48188Shared CWE-20

Affected Assets

asustor
data master
4.1.0.rhu2 — 4.3.3.rof1 · 5.0.0.ra82 — 5.1.2.re51

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation of information inputs at CGI program interfaces, preventing arbitrary data writes due to improper input parameters validation.

prevent

Requires identification and authentication for non-organizational users, blocking unauthenticated remote exploitation of the vulnerable CGI program.

prevent

Enforces approved access authorizations to system resources, preventing unauthorized file writes enabled by the input validation flaw.

References