Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient validation of user-supplied input before it is passed to a system shell. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) and fully compromise the system. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.
AnalysisAI
Remote code execution in ASUSTOR ADM (ASUSTOR Data Master) operating system versions 4.1.0-4.3.3.RR42 and 5.0.0-5.1.2.REO1 allows authenticated administrators to inject arbitrary OS commands via the PPTP VPN Clients web interface. The command injection (CWE-78) bypasses the restricted web environment, enabling full system compromise. Attack complexity is low (AC:L) with network attack vector (AV:N), and CVSS 9.4 reflects critical impact across confidentiality, integrity, and availability. No active exploitation or public POC confirmed at time of analysis, though EPSS probability data not available.
Technical ContextAI
This vulnerability affects ASUSTOR ADM, the Linux-based operating system powering ASUSTOR network-attached storage (NAS) devices. The flaw resides in the PPTP VPN Clients configuration interface within the ADM web management portal. CWE-78 (OS Command Injection) occurs when the application fails to properly sanitize user input before passing it to system shell execution functions like system(), exec(), or popen(). In this case, administrative users configuring PPTP VPN parameters can inject shell metacharacters or command separators (such as semicolons, pipes, or backticks) that escape the intended command context and execute arbitrary commands with the privileges of the ADM web server process, typically root or a highly privileged system account. The affected CPE (cpe:2.3:a:asustor_inc.:adm) confirms the vulnerability spans two major version branches of ADM, indicating a persistent design flaw rather than a version-specific regression.
RemediationAI
Apply vendor-released security updates immediately. ASUSTOR Security Advisory #55 (https://www.asustor.com/security/security_advisory_detail?id=55) provides official patching guidance, though exact fixed version numbers are not confirmed in available data. Monitor ASUSTOR support portal for ADM 4.3.4+ and ADM 5.1.3+ releases addressing this vulnerability. Until patches are applied, implement compensating controls: (1) Restrict ADM web interface access to trusted management networks only via firewall rules-block internet-facing exposure entirely (this prevents remote exploitation but impacts remote admin capabilities). (2) Enforce multi-factor authentication on all ADM administrator accounts to raise credential compromise difficulty (does not prevent exploitation by legitimate admins or attackers with stolen MFA tokens). (3) Disable PPTP VPN functionality if not operationally required, removing the vulnerable attack surface (impacts VPN-dependent workflows). (4) Monitor ADM system logs for unusual PPTP configuration changes or unexpected process execution under web server context. None of these mitigations eliminate the vulnerability; patching is the only complete remediation.
The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerability in the portal/
EZ Sync service fails to adequately handle user input, allowing an attacker to navigate beyond the intended directory st
A stack-based buffer overflow vulnerability was found in the ASUSTOR Data Master (ADM) due to the lack of data size vali
A stack-based buffer overflow vulnerability was found inside ADM when using WebDAV due to the lack of data size validati
Remote code execution in ASUSTOR ADM (4.1.0-4.3.3.RR42 and 5.0.0-5.1.2.REO1) allows authenticated high-privilege attacke
A Cross-Site Scripting(XSS) vulnerability was found on ADM, LooksGood and SoundsGood Apps. Rated medium severity (CVSS 6
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23784
GHSA-32w9-6rwg-p96w