Cyber Posture

CVE-2026-3179

High

Published: 25 February 2026

Published
25 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0067 71.5th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacker can craft filenames containing path traversal sequences, causing the client to write files outside…

more

the intended backup directory. A path traversal vulnerability may allow an attacker to overwrite arbitrary files on the system and potentially achieve privilege escalation or remote code execution. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.2.RE51.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the path traversal vulnerability by requiring identification, prioritization, and application of patches to fix the FTP backup filename sanitization flaw.

SI-10 Information Input Validation good match
prevent

Requires validation and error handling of filenames received from the FTP server directory listings to block path traversal sequences.

AC-3 Access Enforcement partial match
prevent

Enforces access control policies on file writes to prevent the FTP backup process from overwriting arbitrary files outside the intended directory even if path traversal occurs.

Security SummaryAI

CVE-2026-3179 is a path traversal vulnerability (CWE-22) in the FTP Backup feature of ASUSTOR Data Master (ADM). The component fails to properly sanitize filenames received from the FTP server during directory listing parsing, allowing crafted filenames with path traversal sequences to direct file writes outside the intended backup directory. Affected versions include ADM 4.1.0 through 4.3.3.ROF1, as well as ADM 5.0.0 through 5.1.2.RE51. The vulnerability was published on 2026-02-25 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A remote attacker controlling a malicious FTP server, or positioned as a man-in-the-middle (MITM), can exploit this by sending directory listings with specially crafted filenames. This enables the ADM client to write backup files to arbitrary locations on the filesystem, potentially overwriting critical system files. Successful exploitation may result in privilege escalation or remote code execution, depending on the targeted files and the context of the overwritten data.

ASUSTOR has published a security advisory detailing the issue and mitigation steps, available at https://www.asustor.com/security/security_advisory_detail?id=53. Security practitioners should consult this advisory for patch availability and recommended remediation actions for affected ADM installations.

Details

CWE(s)
CWE-22

Affected Products

asustor
data master
4.1.0.rhu2 — 4.3.3.rof1 · 5.0.0.ra82 — 5.1.2.reo1

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Path traversal enables arbitrary file writes leading to remote code execution via client-side exploitation (T1203) and privilege escalation (T1068) by overwriting critical system files.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References