An Incorrect Symlink Follow vulnerability exists in multiple Yottamaster NAS devices, including DM2 (version equal to or prior to V1.9.12), DM3 (version equal to or prior to V1.9.12), and DM200 (version equal to or prior to V1.2.23) that could be exploited by attackers to leak or tamper with the internal file system. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device's slot, then access the USB drive's symlink directory mounted on the NAS to obtain all files within the NAS system and tamper with those files.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

No data.

No data.

No data.

No data.

References
Link Providers
https://www.notion.so/Yottamaster-Incorrect-Symlink-Follow-2c36cf4e528a8001b37cdad4be7431f8?source=copy_link cve-icon cve-icon
History

Tue, 03 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description An Incorrect Symlink Follow vulnerability exists in multiple Yottamaster NAS devices, including DM2 (version equal to or prior to V1.9.12), DM3 (version equal to or prior to V1.9.12), and DM200 (version equal to or prior to V1.2.23) that could be exploited by attackers to leak or tamper with the internal file system. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device's slot, then access the USB drive's symlink directory mounted on the NAS to obtain all files within the NAS system and tamper with those files.
References
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-02-03T17:40:14.800Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-69430

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-02-03T18:16:16.817

Modified: 2026-02-03T18:16:16.817

Link: CVE-2025-69430

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.