CVE-2025-13052 is a vulnerability classified under CWE-295 (Improper Certificate Validation) affecting ASUSTOR ADM network-attached storage (NAS) devices. The issue arises when users configure the Notification feature to send emails through an SMTP server using the msmtp client. Due to improper validation of TLS/SSL certificates by msmtp within ADM, an attacker positioned to intercept network traffic (e.g., on the same local network or via compromised routers) can perform a man-in-the-middle (MITM) attack. This attack allows the adversary to decrypt and capture sensitive SMTP credentials or email content transmitted between the SMTP client and server. The vulnerability affects ADM versions from 4.1.0 through 4.3.3.RKD2 and 5.0.0 through 5.1.0.RN42. The CVSS v4.0 score is 7.0 (high), reflecting network attack vector, low attack complexity, no privileges or user interaction required, but partial impact on confidentiality. The scope is high, indicating the vulnerability can affect components beyond the initially vulnerable module. No patches or exploit code are currently publicly available, but the risk remains significant due to the potential exposure of sensitive notification data and credentials. The vulnerability primarily compromises confidentiality, with no direct impact on integrity or availability. The improper certificate validation means that the SMTP client does not properly verify the authenticity of the SMTP server’s TLS certificate, allowing attackers to present fraudulent certificates without detection.

For European organizations, this vulnerability poses a risk of sensitive information leakage through interception of SMTP notification emails sent from ASUSTOR ADM devices. Many enterprises and public sector entities use NAS devices like ASUSTOR ADM for centralized storage and alerting, including security and operational notifications. Exposure of SMTP credentials or email content could lead to further compromise of email infrastructure or leakage of confidential operational data. The impact is heightened in sectors relying on timely and secure notifications, such as finance, healthcare, and critical infrastructure. Additionally, interception of credentials could facilitate lateral movement or phishing campaigns. The vulnerability’s network-based exploitation means that attackers with access to internal or transit networks can exploit it, which is plausible in complex enterprise environments or through supply chain attacks. The lack of user interaction or authentication requirements increases the risk of automated or opportunistic attacks. Although no known exploits are reported, the vulnerability’s presence in widely deployed ADM versions means many European organizations could be affected if attackers develop exploits. The confidentiality breach could undermine compliance with GDPR and other data protection regulations, leading to legal and reputational consequences.

1. Immediately review and disable SMTP email notifications configured via msmtp on ASUSTOR ADM devices until a vendor patch is available. 2. Monitor ASUSTOR’s official channels for security updates and apply patches promptly once released. 3. If SMTP notifications are essential, configure msmtp or alternative SMTP clients to enforce strict TLS/SSL certificate validation, including certificate pinning or use of trusted CA bundles. 4. Employ network segmentation to isolate NAS devices from untrusted networks and restrict access to SMTP servers to trusted hosts only. 5. Use VPNs or encrypted tunnels (e.g., SSH tunnels or IPsec) to protect SMTP traffic from interception on internal or transit networks. 6. Audit and rotate SMTP credentials regularly to reduce the impact of potential credential compromise. 7. Implement network intrusion detection systems (NIDS) to detect anomalous MITM or TLS interception activities. 8. Educate administrators on the risks of improper certificate validation and encourage secure configuration practices. 9. Consider alternative notification mechanisms that do not rely on SMTP or msmtp until the vulnerability is resolved. 10. Maintain comprehensive logging and monitoring of ADM device activities to detect suspicious access or configuration changes.