Skip to main content

Adm EUVDEUVD-2026-23784

| CVE-2026-6644 CRITICAL
OS Command Injection (CWE-78)
2026-04-20 ASUSTOR1 GHSA-32w9-6rwg-p96w
9.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 20, 2026 - 19:07 vuln.today
cvss_changed
Analysis Generated
Apr 20, 2026 - 07:27 vuln.today
CVSS changed
Apr 20, 2026 - 07:22 NVD
9.4 (CRITICAL)
EUVD ID Assigned
Apr 20, 2026 - 07:15 euvd
EUVD-2026-23784
Analysis Generated
Apr 20, 2026 - 07:15 vuln.today
CVE Published
Apr 20, 2026 - 06:54 nvd
CRITICAL 9.4

DescriptionCVE.org

A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient validation of user-supplied input before it is passed to a system shell. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) and fully compromise the system. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.

AnalysisAI

Remote code execution in ASUSTOR ADM (ASUSTOR Data Master) operating system versions 4.1.0-4.3.3.RR42 and 5.0.0-5.1.2.REO1 allows authenticated administrators to inject arbitrary OS commands via the PPTP VPN Clients web interface. The command injection (CWE-78) bypasses the restricted web environment, enabling full system compromise. Attack complexity is low (AC:L) with network attack vector (AV:N), and CVSS 9.4 reflects critical impact across confidentiality, integrity, and availability. No active exploitation or public POC confirmed at time of analysis, though EPSS probability data not available.

Technical ContextAI

This vulnerability affects ASUSTOR ADM, the Linux-based operating system powering ASUSTOR network-attached storage (NAS) devices. The flaw resides in the PPTP VPN Clients configuration interface within the ADM web management portal. CWE-78 (OS Command Injection) occurs when the application fails to properly sanitize user input before passing it to system shell execution functions like system(), exec(), or popen(). In this case, administrative users configuring PPTP VPN parameters can inject shell metacharacters or command separators (such as semicolons, pipes, or backticks) that escape the intended command context and execute arbitrary commands with the privileges of the ADM web server process, typically root or a highly privileged system account. The affected CPE (cpe:2.3:a:asustor_inc.:adm) confirms the vulnerability spans two major version branches of ADM, indicating a persistent design flaw rather than a version-specific regression.

RemediationAI

Apply vendor-released security updates immediately. ASUSTOR Security Advisory #55 (https://www.asustor.com/security/security_advisory_detail?id=55) provides official patching guidance, though exact fixed version numbers are not confirmed in available data. Monitor ASUSTOR support portal for ADM 4.3.4+ and ADM 5.1.3+ releases addressing this vulnerability. Until patches are applied, implement compensating controls: (1) Restrict ADM web interface access to trusted management networks only via firewall rules-block internet-facing exposure entirely (this prevents remote exploitation but impacts remote admin capabilities). (2) Enforce multi-factor authentication on all ADM administrator accounts to raise credential compromise difficulty (does not prevent exploitation by legitimate admins or attackers with stolen MFA tokens). (3) Disable PPTP VPN functionality if not operationally required, removing the vulnerable attack surface (impacts VPN-dependent workflows). (4) Monitor ADM system logs for unusual PPTP configuration changes or unexpected process execution under web server context. None of these mitigations eliminate the vulnerability; patching is the only complete remediation.

Share

EUVD-2026-23784 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy