CVE-2026-6644

CRITICAL

A command injection vulnerability was found in the PPTP VPN Clients on the ADM

Title source: cna

Description

A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient validation of user-supplied input before it is passed to a system shell. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) and fully compromise the system. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.

References (1)

[Vendor Advisory] https://https://www.asustor.com/security/security_advisory_detail?id=55

Scores

CVSS v3 9.1

EPSS 0.0073

EPSS Percentile 72.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (3)

asustor/data_master 4.1.0.rhu2 - 4.3.3.RR42

ASUSTOR Inc./ADM 4.1.0 - 4.3.3.RR42

ASUSTOR Inc./ADM 5.0.0 - 5.1.2.REO1

Published Apr 20, 2026

Tracked Since Apr 20, 2026