CVE 9.8 CRITICAL

CVE-2025-69430_CVE-2025-69430

February 5, 2026 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

An Incorrect Symlink Follow vulnerability exists in multiple Yottamaster NAS devices, including DM2 (version equal to or prior to V1.9.12), DM3 (version equal to or prior to V1.9.12), and DM200 (version equal to or prior to V1.2.23) that could be exploited by attackers to leak or tamper with the internal file system. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device's slot, then access the USB drive's symlink directory mounted on the NAS to obtain all files within the NAS system and tamper with those files.

AI Analysis

Incorrect Symlink Follow vulnerability in Yottamaster NAS devices allowing attackers to leak or tamper with the internal file system

Basic Information

ID CVE-2025-69430

Source mitre

Published Feb 3, 2026 at 00:00

Modified Feb 5, 2026 at 14:44

Affected Product

Vendor Yottamaster

Product Yottamaster NAS devices

Version V1.9.12, V1.2.23

Affected Versions n/a n/a n/a

CWE Classification

CWE-59

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Yottamaster

Product Yottamaster NAS devices

Version V1.9.12, V1.2.23

References

www.notion.so /Yottamaster-Incorrect-Symlink-Follow-2c36cf4e528a8001b37cdad4be7431f8

{
    "lastseen": "",
    "description": "An Incorrect Symlink Follow vulnerability exists in multiple Yottamaster NAS devices, including DM2 (version equal to or prior to V1.9.12), DM3 (version equal to or prior to V1.9.12), and DM200 (version equal to or prior to V1.2.23) that could be exploited by attackers to leak or tamper with the internal file system. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device's slot, then access the USB drive's symlink directory mounted on the NAS to obtain all files within the NAS system and tamper with those files.",
    "published": "2026-02-03T00:00:00.000Z",
    "modified": "2026-02-05T14:44:56.737Z",
    "type": "cve",
    "title": "CVE-2025-69430",
    "source": "mitre",
    "references": "https://www.notion.so/Yottamaster-Incorrect-Symlink-Follow-2c36cf4e528a8001b37cdad4be7431f8?source=copy_link",
    "id": "CVE-2025-69430",
    "bulletinFamily": "",
    "cwe": [
        "CWE-59"
    ],
    "cvelist": null,
    "sourceData": "n/a n/a n/a",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Yottamaster NAS devices",
    "version": "V1.9.12, V1.2.23",
    "vendor": "Yottamaster",
    "ai_description": "Incorrect Symlink Follow vulnerability in Yottamaster NAS devices allowing attackers to leak or tamper with the internal file system",
    "ai_severity": "Critical",
    "ai_vendor": "Yottamaster",
    "ai_product": "Yottamaster NAS devices",
    "ai_version": "V1.9.12, V1.2.23",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply