CVE-2025-7380 is a stored Cross-Site Scripting (XSS) vulnerability identified in ASUSTOR's ADM (ASUSTOR Data Master) operating system, specifically affecting versions from 4.1.0 up to 4.3.3.RH61 and 5.0.0.RIN1 and earlier. The vulnerability arises from improper neutralization of input during web page generation (CWE-79). An attacker can exploit this by injecting malicious JavaScript code into the folder name field when creating a new shared folder within the ADM interface. Because the input is not properly sanitized, the malicious script is stored and later executed in the context of any user who views the folder name in the ADM user interface. This execution can lead to unauthorized actions such as stealing session cookies, hijacking user sessions, or performing actions on behalf of the victim user. The vulnerability requires no authentication (AV:N) but does require low privileges (PR:L) and user interaction (UI:A) to trigger the malicious script. The CVSS v4.0 base score is 4.8, indicating a medium severity level. The attack vector is network-based, and the vulnerability impacts confidentiality and integrity to a limited extent, with no direct impact on availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is significant for environments where ADM is used to manage shared storage, especially in multi-user contexts where folder names are visible to multiple users, increasing the risk of cross-user attacks.

For European organizations utilizing ASUSTOR ADM for network-attached storage (NAS) solutions, this vulnerability poses a moderate risk. Exploitation could allow attackers to execute arbitrary JavaScript in the context of legitimate users, potentially leading to session hijacking, unauthorized access to sensitive data, or manipulation of the ADM interface. This is particularly concerning in sectors with stringent data protection requirements such as finance, healthcare, and government, where unauthorized data access or session compromise could lead to regulatory violations under GDPR and other privacy laws. Additionally, organizations with multiple users accessing shared folders are at higher risk, as the stored XSS payload would execute when any user views the folder name. While the vulnerability does not directly impact system availability, the potential for data leakage and unauthorized actions can disrupt business operations and erode trust in IT infrastructure security. The lack of known exploits in the wild reduces immediate urgency but does not eliminate the risk, especially as attackers may develop exploits once the vulnerability becomes public knowledge.

To mitigate CVE-2025-7380 effectively, European organizations should implement a multi-layered approach: 1) Immediately restrict folder creation permissions to trusted administrators or users to limit the ability to inject malicious scripts. 2) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious script payloads in HTTP requests targeting the ADM interface. 3) Monitor ADM logs for unusual folder creation activities or unexpected script content in folder names. 4) Educate users to avoid interacting with suspicious folder names or links within the ADM UI. 5) Where possible, apply input validation and output encoding at the application level to sanitize folder names, either by deploying custom scripts or requesting vendor patches. 6) Regularly check for and apply official ASUSTOR security updates once available. 7) Consider network segmentation to isolate ADM devices from less trusted network segments, reducing exposure. 8) Implement session management best practices such as short session timeouts and multi-factor authentication to reduce the impact of session hijacking attempts.