{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6644", "assignerOrgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77", "state": "PUBLISHED", "assignerShortName": "ASUSTOR1", "dateReserved": "2026-04-20T04:06:46.522Z", "datePublished": "2026-04-20T06:54:42.989Z", "dateUpdated": "2026-04-20T06:54:42.989Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77", "shortName": "ASUSTOR1", "dateUpdated": "2026-04-20T06:54:42.989Z"}, "title": "A command injection vulnerability was found in the PPTP VPN Clients on the ADM", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "CWE-78 Improper neutralization of special elements used in an OS command ('OS command injection')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-108", "descriptions": [{"lang": "en", "value": "CAPEC-108 Command Line Execution through SQL Injection"}]}], "affected": [{"vendor": "ASUSTOR Inc.", "product": "ADM", "packageName": "PPTP VPN Clients", "versions": [{"status": "affected", "version": "4.1.0", "lessThanOrEqual": "4.3.3.RR42", "versionType": "custom"}, {"status": "affected", "version": "5.0.0", "lessThanOrEqual": "5.1.2.REO1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient validation of user-supplied input before it is passed to a system shell. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) and fully compromise the system.\nAffected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient validation of user-supplied input before it is passed to a system shell. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) and fully compromise the system.<br>Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1."}]}], "references": [{"url": "https://https://www.asustor.com/security/security_advisory_detail?id=55", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.4, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}}], "credits": [{"lang": "en", "value": "uky", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient validation of user-supplied input before it is passed to a system shell. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) and fully compromise the system.\nAffected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1."}], "id": "CVE-2026-6644", "lastModified": "2026-04-20T07:16:16.693", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@asustor.com", "type": "Secondary"}]}, "published": "2026-04-20T07:16:16.693", "references": [{"source": "security@asustor.com", "url": "https://https://www.asustor.com/security/security_advisory_detail?id=55"}], "sourceIdentifier": "security@asustor.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@asustor.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.1.0,4.3.3.RR42]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[5.0.0,5.1.2.REO1]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "ADM", "source": "cna", "vendor": "ASUSTOR Inc."}, "product": "adm", "vendor": "asustor"}], "analysis": {"en": {"generated_at": "2026-04-20T08:22:40.291581+00:00", "value": {"mitigation_remediation": ["Update the ADM firmware to the latest version that contains the fix for the PPTP VPN client command injection flaw.", "If the PPTP VPN service is not required, disable it or remove the related packages to eliminate the attack surface.", "Configure the network firewall to restrict access to the ADM administrative interface to known, trusted IP addresses and enforce strong authentication, thereby limiting the potential for an attacker to reach the vulnerable endpoint."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "ASUSTOR Inc. ADM devices are affected, specifically all builds from ADM 4.1.0 through ADM 4.3.3.RR42 and from ADM 5.0.0 through ADM 5.1.2.REO1.", "description_and_impact": "The vulnerability is a command injection flaw in the PPTP VPN client of the ADM web interface, caused by insufficient validation of user input that is passed to a system shell. An administrative user can exploit this flaw to break out of the restricted web environment, run arbitrary operating\u2011system commands, and consequently achieve full system compromise through Remote Code Execution, which aligns with CWE\u201178.", "risk_and_exploitability": "The CVSS score of 9.4 indicates critical severity, and although the EPSS score is not available, the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits at this time. However, exploitation would require administrative access to the web interface; an attacker with such access could remotely execute arbitrary code on the underlying operating system, leading to a full compromise of the device and its network."}}}}, "created": "2026-04-20T08:30:02.622064+00:00", "updated": "2026-04-20T09:00:02.857173+00:00", "vendors": ["asustor", "asustor$PRODUCT$adm"]}