CVE-2026-24935 is a vulnerability categorized under CWE-295 (Improper Certificate Validation) affecting ASUSTOR's ADM NAS operating system in versions 4.1.0 through 4.3.3.ROF1 and 5.0.0 through 5.1.1.RCI1. The issue arises from a third-party NAT traversal module that fails to properly validate SSL/TLS certificates when establishing connections to the signaling server. This improper validation allows an attacker positioned on the network path to perform a Man-in-the-Middle (MitM) attack during the NAT tunnel establishment phase. While subsequent access to device services requires additional authentication, the attacker can intercept or redirect the initial signaling traffic, potentially disrupting service availability or acting as a proxy to relay or manipulate communications. This proxy capability could facilitate further targeted attacks, such as credential harvesting or command injection, by exploiting the trust relationship established through the NAT tunnel. The vulnerability does not require user interaction or privileges and can be exploited remotely over the network. The CVSS 4.0 base score of 6.3 reflects a medium severity, considering the attack vector is network-based, the attack complexity is low, and the impact on confidentiality, integrity, and availability is partial but not complete. No public exploits are known at this time, but the flaw represents a significant risk for organizations relying on vulnerable ASUSTOR ADM versions for critical storage or network services. The lack of patch links suggests that a fix may still be pending or not yet publicly disclosed.

For European organizations, this vulnerability poses risks primarily to the confidentiality, integrity, and availability of data stored or accessed via ASUSTOR ADM devices. The ability of an attacker to intercept or redirect NAT tunnel establishment could lead to service disruptions, impacting business continuity and availability of critical data. Additionally, acting as a proxy could enable attackers to perform further targeted attacks, potentially compromising sensitive information or escalating privileges. Organizations using these ADM versions in sectors such as finance, healthcare, or government could face increased risks due to the sensitivity of stored data and regulatory requirements like GDPR. The vulnerability could also undermine trust in remote access solutions, especially for organizations relying on NAT traversal for remote connectivity. Although additional authentication is required for device services, the initial interception weakens the security posture and could facilitate credential theft or session hijacking. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability becomes widely known. Disruption of NAS services could also affect backup and disaster recovery processes, amplifying operational risks.

European organizations should implement the following specific mitigations: 1) Monitor ASUSTOR's official channels for patches addressing CVE-2026-24935 and apply updates promptly once available. 2) Restrict network access to ADM devices by implementing firewall rules that limit signaling server connections to trusted IP addresses and networks, reducing exposure to MitM attacks. 3) Employ network segmentation to isolate NAS devices from general user networks, minimizing the attack surface. 4) Use VPNs or other secure tunneling protocols with strong certificate validation for remote access instead of relying solely on the vulnerable NAT traversal module. 5) Conduct regular network traffic monitoring and anomaly detection to identify potential MitM activities or unusual signaling traffic patterns. 6) Enforce strong authentication mechanisms on ADM devices and consider multi-factor authentication to reduce the impact of intercepted credentials. 7) Educate IT staff about the risks of improper certificate validation and the importance of verifying SSL/TLS connections in networked devices. 8) Review and update incident response plans to include scenarios involving NAS device compromise or service disruption. These measures go beyond generic advice by focusing on network-level controls, monitoring, and operational readiness tailored to the specific vulnerability context.