A severe vulnerability has been discovered in ASUSTOR ADM, the operating system that powers ASUSTOR’s NAS devices, tracked as CVE-2026-24936 with a CVSS of 9.5. The flaw resides in a specific CGI program used when an administrator joins the NAS to an Active Directory domain, and an unauthenticated attacker can exploit it remotely due to improper input validation. It is an arbitrary file write vulnerability; when exploited, the attacker can overwrite critical system files and take control of the operating system.
The vulnerability affects ADM versions 4.1.0 through 4.3.3.ROF1 and 5.0.0 through 5.1.1.RCI1, and ASUSTOR has released a patch addressing this issue, with users urged to upgrade to ADM 5.1.2.RE31 or later. According to ASUSTOR Security Advisory, the flaw enables an unauthenticated remote attacker to write arbitrary data to any file on the system.
Given the likelihood of NAS devices being targeted by ransomware groups, administrators should apply the patch promptly or, until then, disable AD domain joining features or restrict access to the NAS management interface.