CVE-2026-24935 is a vulnerability classified under CWE-295 (Improper Certificate Validation) found in ASUSTOR ADM, a network-attached storage operating system. The issue stems from a third-party NAT traversal module that fails to properly validate SSL/TLS certificates when connecting to the signaling server responsible for establishing NAT tunnels. This improper validation allows an attacker positioned as a Man-in-the-Middle (MitM) to intercept or redirect the NAT tunnel setup process. While subsequent access to device services requires additional authentication, the attacker can disrupt service availability by interfering with tunnel establishment or act as a proxy to relay or manipulate traffic between the user and device services. This could facilitate further targeted attacks, such as credential harvesting or exploitation of other vulnerabilities. The affected versions span ADM 4.1.0 through 4.3.3.ROF1 and 5.0.0 through 5.1.1.RCI1. The CVSS v4.0 base score is 6.3, indicating medium severity, with network attack vector, low complexity, no privileges required, no user interaction, and partial impacts on confidentiality, integrity, and availability. No patches or exploits are currently publicly available, but the vulnerability poses a risk especially in environments where NAT traversal is critical for remote access.

For European organizations, this vulnerability could lead to service disruptions or enable attackers to position themselves as intermediaries in communications with ASUSTOR ADM devices. This may compromise confidentiality and integrity of data transmitted through the NAT tunnels, potentially exposing sensitive information or enabling further exploitation. Organizations relying on ASUSTOR ADM for critical storage or remote access services could face operational downtime or data leakage risks. The threat is heightened in sectors with stringent data protection requirements such as finance, healthcare, and government. Additionally, the ability to disrupt availability could impact business continuity. Since the vulnerability does not require authentication or user interaction, it can be exploited remotely, increasing the attack surface for exposed devices connected to the internet or untrusted networks.

Organizations should monitor ASUSTOR's official channels for patches addressing this vulnerability and apply them promptly once released. In the interim, network-level mitigations include restricting access to ADM devices and their NAT traversal signaling servers via firewall rules or VPNs to trusted IP ranges only. Employing network segmentation to isolate ADM devices from general user networks can reduce exposure. Enabling and enforcing multi-factor authentication on ADM services adds an additional security layer beyond the vulnerable NAT traversal module. Regularly auditing network traffic for unusual patterns indicative of MitM attacks or tunnel disruptions can aid early detection. Where possible, disabling or replacing the affected NAT traversal functionality with more secure alternatives should be considered. Finally, educating administrators about this specific risk and encouraging vigilance around ADM device configurations will help reduce exploitation likelihood.