Primary

Context

Asustor ADM Stack-Based Buffer Overflow Vulnerability in VPN Clients Allowing Arbitrary Code Execution

Vulnerability

Patched

A stack-based buffer overflow vulnerability has been identified in the VPN clients on Asustor's ADM operating system. This vulnerability arises from the use of unbounded input handling with sscanf(), combined with the direct output of user-controlled data to printf(). The absence of Position Independent Executable (PIE) and Stack Canary protections enables an authenticated remote attacker to exploit this flaw, executing arbitrary code as the web server user. The vulnerability affects Asustor ADM versions 4.1.0 prior to 4.3.3.RR42, as well as versions 5.0.0 prior to 5.1.2.REO1.

Impact

Exploitation of this vulnerability allows for stack-based buffer overflow, leading to arbitrary code execution on the affected system.

Remediation

Users can upgrade to Asustor ADM 5.1.1.RCI1 or ADM 4.3.3.ROF1 to address this vulnerability.

Added: Apr 20, 2026, 7:18 AM

Updated: Apr 20, 2026, 7:18 AM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

7.5

exploitability

5.2

remediation

7.7

relevance

6.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

7.5

exploitability

5.2

remediation

7.7

relevance

6.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Asustor ADM Stack-Based Buffer Overflow Vulnerability in VPN Clients Allowing Arbitrary Code Execution

Vulnerability

Impact

Remediation

Affected Products

ASUSTOR ADM

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating