CVE-2026-6643

CRITICAL

ASUSTOR ADM 4.1.0-4.3.3.RR42 and 5.0.0-5.1.2.REO1 - Authenticated Remote Code Execution via VPN Client Buffer Overflow

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-6643. PoCs published by mlgzackfly.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-6643, targeting ASUSTOR ADM 5.1.2. The exploit leverages a format string vulnerability (CWE-134) and a stack buffer overflow (CWE-121) in the `vpnupload.cgi` component to achieve remote code execution (RCE). The exploit is well-documented with detailed technical analysis, including stack layout, mitigation bypasses, and step-by-step exploitation instructions.

Description

A stack-based buffer overflow vulnerability was found in the VPN Clients on the ADM. The issue stems from the use of unbounded sscanf() and passing user-controlled data directly to printf(). Due to the lack of PIE and Stack Canary protections, an authenticated remote attacker can exploit these to execute arbitrary code as the web server user. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.

Exploits (1)

github WORKING POC

by mlgzackfly · pythonpoc

https://github.com/mlgzackfly/CVE-2026-6643

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-6643, targeting ASUSTOR ADM 5.1.2. The exploit leverages a format string vulnerability (CWE-134) and a stack buffer overflow (CWE-121) in the `vpnupload.cgi` component to achieve remote code execution (RCE). The exploit is well-documented with detailed technical analysis, including stack layout, mitigation bypasses, and step-by-step exploitation instructions.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: ASUSTOR ADM 5.1.2.REO1 (X64_G3)

Auth required

Prerequisites: Valid `Revive_Session` cookie · Access to `/portal/apis/settings/vpnupload.cgi`

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 28, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://www.asustor.com/security/security_advisory_detail?id=54

Scores

CVSS v3 9.9

EPSS 0.0047

EPSS Percentile 36.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-121

Status published

Products (3)

asustor/data_master 4.1.0.rhu2 - 4.3.3.RR42

ASUSTOR Inc./ADM 4.1.0 - 4.3.3.RR42

ASUSTOR Inc./ADM 5.0.0 - 5.1.2.REO1

Published Apr 20, 2026

Tracked Since Apr 20, 2026