CVE-2026-6644
Command Injection in ADM PPTP VPN Client Enables RCE
Publication date: 2026-04-20
Last updated on: 2026-04-30
Assigner: ASUSTOR, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| asustor | data_master | From 5.0.0.ra82 (inc) to 5.1.2.reo1 (exc) |
| asustor | data_master | From 4.1.0.rhu2 (inc) to 4.3.3.RR42 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection flaw found in the PPTP VPN Clients on the ADM platform. It allows an administrative user to escape the restricted web environment and execute arbitrary code on the underlying operating system.
The root cause is insufficient validation of user-supplied input before it is passed to a system shell, which enables an attacker to perform Remote Code Execution (RCE) and fully compromise the system.
How can this vulnerability impact me? :
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code remotely with administrative privileges, leading to a full compromise of the affected system.
- Remote Code Execution (RCE) on the underlying operating system.
- Complete system compromise including potential data theft, system manipulation, or disruption of services.