CVE-2026-6644

A command injection vulnerability was found in the PPTP VPN Clients on the ADM

Description

A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient validation of user-supplied input before it is passed to a system shell. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) and fully compromise the system. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.

INFO

Published Date :

2026-04-20T06:54:42.989Z

Last Modified :

2026-04-20T06:54:42.989Z

Source :

ASUSTOR1

AFFECTED PRODUCTS

The following products are affected by CVE-2026-6644 vulnerability.

Vendors	Products
Asustor	Adm

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-6644.

URL	Resource
https://https://www.asustor.com/security/security_advisory_detail?id=55

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability