CVE-2025-13052 is a vulnerability classified under CWE-295 (Improper Certificate Validation) affecting ASUSTOR ADM network-attached storage (NAS) devices. The flaw arises when users configure the Notification feature to send emails through an SMTP server using the msmtp client. The vulnerability stems from the ADM software's failure to properly validate TLS/SSL certificates presented by the SMTP server during the establishment of a secure connection. This improper validation allows an attacker positioned to intercept network traffic—such as on the same local network or via compromised routers—to execute a man-in-the-middle (MITM) attack. Through this MITM, the attacker can decrypt or manipulate SMTP traffic, potentially capturing sensitive information including SMTP credentials, email content, or notification details. The affected ADM versions range from 4.1.0 through 4.3.3.RKD2 and 5.0.0 through 5.1.0.RN42. The vulnerability does not require any authentication or user interaction, making it easier to exploit in environments where network traffic can be intercepted. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), partial attack type (AT:P), no privileges required (PR:N), no user interaction (UI:N), low confidentiality impact (VC:L), no integrity or availability impact, and high scope impact (S:H), resulting in an overall high severity score of 7. No public exploits have been reported yet, but the vulnerability poses a significant risk to confidentiality of SMTP communications. The lack of vendor patches at the time of reporting necessitates immediate mitigation steps to reduce exposure.

For European organizations, this vulnerability poses a significant risk to the confidentiality of SMTP credentials and email notifications sent from ASUSTOR ADM devices. Organizations relying on these NAS devices for system alerts or automated email notifications could have sensitive information exposed if attackers intercept SMTP traffic. This could lead to further compromise if attackers leverage captured credentials to access mail servers or pivot within the network. Sectors such as finance, healthcare, government, and critical infrastructure that use ASUSTOR ADM devices for monitoring or alerting are particularly at risk. The impact is heightened in environments with inadequate network segmentation or where encrypted traffic inspection is not enforced. Additionally, organizations with remote or hybrid workforces may expose SMTP traffic over less secure networks, increasing the attack surface. The vulnerability does not affect integrity or availability directly but can facilitate broader attacks through credential theft and information disclosure.

1. Monitor ASUSTOR’s official channels for patches addressing CVE-2025-13052 and apply them promptly once available. 2. Until patches are released, disable the Notification feature that uses msmtp for SMTP email sending if feasible. 3. If email notifications are essential, configure msmtp or the SMTP client to enforce strict certificate validation manually, ensuring only trusted certificates are accepted. 4. Employ network segmentation to isolate NAS devices from untrusted networks and restrict access to SMTP servers to trusted hosts only. 5. Use VPNs or encrypted tunnels for SMTP traffic to prevent interception on insecure networks. 6. Implement network monitoring and intrusion detection systems to identify unusual SMTP traffic patterns indicative of MITM attempts. 7. Educate administrators about the risks of using default or weak TLS configurations and encourage regular review of device configurations. 8. Consider deploying SMTP authentication mechanisms that do not rely solely on TLS encryption, such as OAuth or token-based authentication, if supported. 9. Regularly audit and rotate SMTP credentials used by ADM devices to limit exposure duration in case of compromise.