CVE-2026-3100 is a vulnerability classified under CWE-295 (Improper Certificate Validation) found in the ASUSTOR ADM operating system, specifically affecting the FTP Backup feature when it connects to FTP servers using FTPES/FTPS protocols. The vulnerability arises because the ADM does not strictly enforce TLS/SSL certificate verification, allowing an attacker to present invalid or malicious certificates without detection. This improper validation enables a remote attacker to conduct Man-in-the-Middle (MitM) attacks by intercepting network traffic between the ADM device and the FTP server. Through such interception, attackers can capture sensitive information including authentication credentials and backup data, or modify the data in transit. The affected versions span from ADM 4.1.0 through 4.3.3.ROF1 and 5.0.0 through 5.1.2.RE51. The CVSS v4.0 base score is 8.3, indicating a high severity due to network attack vector, low attack complexity, no required privileges or user interaction, and high impact on confidentiality. The vulnerability does not affect availability but compromises confidentiality significantly and integrity to a lesser extent. No patches or exploit code are currently publicly available, but the risk remains substantial given the sensitive nature of backup data and the ease of exploitation. The vulnerability is particularly critical for organizations relying on ASUSTOR ADM for secure backup operations over FTPES/FTPS.

The primary impact of CVE-2026-3100 is the compromise of confidentiality and integrity of backup data transmitted via FTPES/FTPS from ASUSTOR ADM devices. Attackers exploiting this vulnerability can intercept authentication credentials, enabling further unauthorized access, and can also capture or modify backup data, potentially leading to data breaches, data corruption, or loss of data integrity. This can severely affect organizations that rely on ASUSTOR ADM for critical backup operations, including enterprises, government agencies, and service providers. The exposure of sensitive backup data can lead to intellectual property theft, compliance violations, and operational disruptions. Since the vulnerability requires no authentication or user interaction and can be exploited remotely, it increases the attack surface significantly. The lack of strict certificate validation undermines the security guarantees of TLS, making network communications vulnerable to interception on insecure or compromised networks. Organizations with remote backup servers or those operating in hostile network environments are particularly at risk.

To mitigate CVE-2026-3100, organizations should immediately upgrade ASUSTOR ADM to versions later than 4.3.3.ROF1 and 5.1.2.RE51 once patches are released by ASUSTOR. Until patches are available, administrators should consider disabling the FTP Backup feature or switching to alternative backup methods that do not rely on vulnerable FTPES/FTPS connections. Network-level mitigations include enforcing VPN tunnels or IPsec between ADM devices and backup servers to protect traffic from interception. Additionally, organizations should implement strict network segmentation and firewall rules to restrict access to backup servers only to trusted hosts. Monitoring network traffic for unusual patterns or unexpected certificate anomalies can help detect attempted MitM attacks. Regularly auditing backup configurations and verifying the integrity of backup data can reduce the risk of undetected data tampering. Finally, organizations should maintain strong credential management and consider multi-factor authentication for accessing backup infrastructure to limit the impact of credential compromise.