CVE-2025-7379

A security bypass vulnerability in ASUSTOR DataSync Center allows exploitation via Reverse Tabnabbing, a phishing technique where attackers manipulate the content of the original tab after a user clicks a link. The issue stems from improper handling of target links, failing to set rel="noopener noreferrer" on outbound links, which permits the newly opened page to control the opener tab via window.opener [1].

An attacker can host a malicious page that, when clicked by a victim, opens in a new tab and then modifies the original DataSync Center tab to display a fake login form or other credential harvesting content. The attack requires user interaction (clicking a crafted link) and the attacker must have a presence on the same network to serve the malicious page, though remote exploitation is possible via social engineering [1].

Successful exploitation could lead to credential theft and other security risks as the manipulated original tab may trick the user into entering sensitive information, allowing the attacker to bypass intended security controls. The vulnerability affects DataSync Center versions from 1.1.0 before 1.1.0.r207, and from 1.2.0 before 1.2.0.r206 on ASUSTOR NAS devices [1].

ASUSTOR has released fixes: DataSync Center 1.1.0.r208 for ADM 4.x and 1.2.0.r207 for ADM 5.0 and above. Users are advised to upgrade to the latest version to mitigate the risk [1].