Yottamaster NAS Incorrect Symlink Follow Vulnerability Allowing File System Tampering and Leakage

Vulnerability

A vulnerability allowing incorrect symlink following has been identified in multiple Yottamaster NAS devices, specifically the DM2 and DM3 models (both through version 1.9.12) and the DM200 model (through version 1.2.23). This vulnerability could be exploited by attackers to leak or manipulate the internal file system. The exploitation involves formatting a USB drive to ext4, creating a symbolic link to its root directory, and then inserting the drive into the NAS device's slot. Once the USB drive's symlink directory is mounted on the NAS, attackers can access and tamper with all files within the NAS system.

Impact

Exploitation of this vulnerability could lead to unauthorized access and modification of the internal file system on the affected Yottamaster NAS devices.

Added: Feb 3, 2026, 6:38 PM

Updated: Feb 3, 2026, 6:38 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

3.3

remediation

0.0

relevance

2.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

3.3

remediation

0.0

relevance

2.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Yottamaster NAS Incorrect Symlink Follow Vulnerability Allowing File System Tampering and Leakage

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating