{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6643", "assignerOrgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77", "state": "PUBLISHED", "assignerShortName": "ASUSTOR1", "dateReserved": "2026-04-20T04:06:43.009Z", "datePublished": "2026-04-20T06:34:27.511Z", "dateUpdated": "2026-04-20T06:34:27.511Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77", "shortName": "ASUSTOR1", "dateUpdated": "2026-04-20T06:34:27.511Z"}, "title": "A stack-based buffer overflow vulnerability in the VPN Clients on the ADM", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-121", "description": "CWE-121 Stack-based buffer overflow", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-135", "descriptions": [{"lang": "en", "value": "CAPEC-135 Format String Injection"}]}], "affected": [{"vendor": "ASUSTOR Inc.", "product": "ADM", "platforms": ["Linux", "x86", "ARM", "64 bit"], "packageName": "VPN Clients", "versions": [{"status": "affected", "version": "4.1.0", "lessThanOrEqual": "4.3.3.RR42", "versionType": "custom"}, {"status": "affected", "version": "5.0.0", "lessThanOrEqual": "5.1.2.REO1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A stack-based buffer overflow vulnerability was found in the VPN Clients on the ADM. The issue stems from the use of unbounded sscanf() and passing user-controlled data directly to printf(). Due to the lack of PIE and Stack Canary protections, an authenticated remote attacker can exploit these to execute arbitrary code as the web server user. \nAffected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A stack-based buffer overflow vulnerability was found in the VPN Clients on the ADM. The issue stems from the use of unbounded sscanf() and passing user-controlled data directly to printf(). Due to the lack of PIE and Stack Canary protections, an authenticated remote attacker can exploit these to execute arbitrary code as the web server user. <br>Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1."}]}], "references": [{"url": "https://www.asustor.com/security/security_advisory_detail?id=54", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.6, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L"}}], "credits": [{"lang": "en", "value": "YU-XIANG HUANG (mlgzackfly)", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A stack-based buffer overflow vulnerability was found in the VPN Clients on the ADM. The issue stems from the use of unbounded sscanf() and passing user-controlled data directly to printf(). Due to the lack of PIE and Stack Canary protections, an authenticated remote attacker can exploit these to execute arbitrary code as the web server user. \nAffected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1."}], "id": "CVE-2026-6643", "lastModified": "2026-04-20T07:16:16.543", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@asustor.com", "type": "Secondary"}]}, "published": "2026-04-20T07:16:16.543", "references": [{"source": "security@asustor.com", "url": "https://www.asustor.com/security/security_advisory_detail?id=54"}], "sourceIdentifier": "security@asustor.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "security@asustor.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["linux", "x86", "arm", "64_bit"], "status": "affected", "versions": {"scheme": "generic", "value": "[4.1.0,4.3.3.RR42]"}}, {"platform": ["linux", "x86", "arm", "64_bit"], "status": "affected", "versions": {"scheme": "generic", "value": "[5.0.0,5.1.2.REO1]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "ADM", "source": "cna", "vendor": "ASUSTOR Inc."}, "product": "adm", "vendor": "asustor"}], "analysis": {"en": {"generated_at": "2026-04-20T08:23:27.143567+00:00", "value": {"mitigation_remediation": ["Update the ADM firmware to the latest release that includes the buffer overflow fix, which is available for versions beyond 5.1.2.REO1.", "If a firmware update cannot be applied immediately, disable or remove the vulnerable VPN client or block its network ports to prevent exploitation.", "Restrict access to the ADM web interface to trusted IP addresses and enforce strong authentication, including two-factor authentication if supported."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects ASUSTOR Inc. Advanced Data Manager (ADM) devices running firmware versions 4.1.0 through 4.3.3.RR42 and 5.0.0 through 5.1.2.REO1. Users of these firmware releases are at risk unless updated beyond the listed versions.", "description_and_impact": "A buffer overflow in the VPN Clients on the ADM is caused by an unbounded sscanf and unsafe printf usage. The lack of PIE and stack canaries allows an authenticated remote attacker to supply crafted input and execute arbitrary code as the web server user. The flaw grants full control over the system hosting the ADM, enabling the attacker to run commands, install malware, or pivot to other network assets.", "risk_and_exploitability": "The CVSS base score is 8.6, indicating a high severity. The EPSS score is not available, but the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated remote access to the ADM, typically through the VPN client or web interface, and the attacker must send payloads that trigger the overflow. Once executed, the attacker gains code execution privileges as the web server user, potentially compromising the entire system."}}}}, "created": "2026-04-20T08:30:02.450321+00:00", "updated": "2026-04-20T08:30:02.622994+00:00", "vendors": ["asustor", "asustor$PRODUCT$adm"]}