CVE-2026-3179 CRITICAL

CVE-2026-3179: A path traversal vulnerability was found in the FTP Backup on the ADM.

Vendor Asustor
Product ADM
Weakness CWE-22 · Path traversal
Published February 25, 2026
Last update February 25, 2026

CVSS base score

9.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacker can craft filenames containing path traversal sequences, causing the client to write files outside the intended backup directory. A path traversal vulnerability may allow an attacker to overwrite arbitrary files on the system and potentially achieve privilege escalation or remote code execution. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.2.RE51.

Key dates

02Disclosure timeline

February 25, 2026 CVE published
February 25, 2026 Record updated

Related vulnerabilities

04Related CVE