CVE-2026-6644
published 2026-04-20CVE-2026-6644: A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted…
PriorityP262critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
EPSS
1.45%
70.1th percentile
A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient validation of user-supplied input before it is passed to a system shell. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) and fully compromise the system.
Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| asustor | data_master | >= 4.1.0.rhu2 < 4.3.3.RR42 | 4.3.3.RR42 |
| asustor | data_master | >= 5.0.0.ra82 < 5.1.2.reo1 | 5.1.2.reo1 |
| asustor_inc | adm | 4.1.0 – 4.3.3.RR42 | — |
| asustor_inc | adm | 5.0.0 – 5.1.2.REO1 | — |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
ASUSTOR ADM up to 4.3.3.RR42/5.1.2.REO1 os command injection (EUVD-2026-23784)
vuldb·2026-04-20·CVSS 9.4
CVE-2026-6644 [CRITICAL] ASUSTOR ADM up to 4.3.3.RR42/5.1.2.REO1 os command injection (EUVD-2026-23784)
A vulnerability described as critical has been identified in ASUSTOR ADM up to 4.3.3.RR42/5.1.2.REO1. Impacted is an unknown function. Such manipulation leads to os command injection.
This vulnerability is documented as CVE-2026-6644. The attack can be executed remotely. There is not any exploit available.
GHSA
GHSA-32w9-6rwg-p96w: A command injection vulnerability was found in the PPTP VPN Clients on the ADM
ghsa_unreviewed·2026-04-20
CVE-2026-6644 [CRITICAL] CWE-78 GHSA-32w9-6rwg-p96w: A command injection vulnerability was found in the PPTP VPN Clients on the ADM
A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient validation of user-supplied input before it is passed to a system shell. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) and fully compromise the system.
Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-20
Published