How to fix CVE-2026-6644?

Within 24 hours: Identify all ASUSTOR ADM systems in your environment and document versions (navigate to System Settings > General to confirm version). Restrict administrative web interface access to trusted networks only via firewall rules. Within 7 days: Disable PPTP VPN functionality entirely if not operationally required, or segment VPN administration to an isolated management network. Implement enhanced logging and monitoring of web interface activity to the PPTP VPN configuration pages. Within 30 days: Contact ASUSTOR support for patch availability status and establish a vendor communication protocol for critical updates. Plan migration to patched versions (4.3.4+ or 5.1.3+) as soon as released, prioritizing systems with sensitive data.

Is Command Injection affected by CVE-2026-6644?

ASUSTOR ADM versions 4.1.0-5.1.2 contain a critical remote code execution vulnerability in the PPTP VPN configuration interface that allows authenticated administrators to execute arbitrary system commands, potentially leading to complete compromise of NAS devices and stored data.

CVE-2026-6644

EUVD-2026-23784 CRITICAL

2026-04-20 ASUSTOR1

GHSA-32w9-6rwg-p96w

Command Injection RCE Adm

9.4

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 20, 2026 - 07:27 vuln.today

CVSS Changed

Apr 20, 2026 - 07:22 NVD

9.4 (CRITICAL)

DescriptionNVD

A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient validation of user-supplied input before it is passed to a system shell. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) and fully compromise the system. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.

AnalysisAI

Remote code execution in ASUSTOR ADM (ASUSTOR Data Master) operating system versions 4.1.0-4.3.3.RR42 and 5.0.0-5.1.2.REO1 allows authenticated administrators to inject arbitrary OS commands via the PPTP VPN Clients web interface. The command injection (CWE-78) bypasses the restricted web environment, enabling full system compromise. …

RemediationAI

Within 24 hours: Identify all ASUSTOR ADM systems in your environment and document versions (navigate to System Settings > General to confirm version). Restrict administrative web interface access to trusted networks only via firewall rules. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-6644 vulnerability details – vuln.today

Back

CVE-2026-6644

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

CVE-2026-6644

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code