Asustor ADM FTP Backup Improper TLS Certificate Validation Vulnerability Allowing Man-in-the-Middle Attacks

A vulnerability exists in the FTP Backup feature on Asustor's ADM operating system, specifically in versions 4.1.0 prior to 4.3.3.ROF1 and 5.0.0 prior to 5.1.2.RE51. The issue arises because the application does not properly enforce strict TLS certificate verification when connecting to FTP servers via FTPES/FTPS. This improper validation allows remote attackers to intercept network traffic and conduct Man-in-the-Middle (MitM) attacks, potentially intercepting, modifying, or stealing sensitive information such as authentication credentials and backup data.

Impact

Exploitation of this vulnerability could lead to a Man-in-the-Middle attack, allowing interception, modification, or theft of sensitive information, including authentication credentials and backup data.

Remediation

Users can upgrade to Asustor ADM 5.1.2.REO1 or above to address this vulnerability. For those on ADM 4.1, 4.2, or 4.3, the vulnerability is still being addressed.