CVE-2026-6643

Critical

Published: 20 April 2026

Published

20 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0013 32.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A stack-based buffer overflow vulnerability was found in the VPN Clients on the ADM. The issue stems from the use of unbounded sscanf() and passing user-controlled data directly to printf(). Due to the lack of PIE and Stack Canary protections,…

an authenticated remote attacker can exploit these to execute arbitrary code as the web server user. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and correction of flaws like the unbounded sscanf and printf usage, directly addressing the root cause via patching affected ADM versions.

SI-16 Memory Protection good match

prevent

SI-16 enforces memory protections such as PIE and stack canaries, which are absent in the vulnerable VPN Clients and would prevent arbitrary code execution despite the buffer overflow.

SI-10 Information Input Validation good match

prevent

SI-10 mandates validation of user-controlled inputs before processing by functions like sscanf, preventing the stack-based buffer overflow in the VPN Clients component.

Security SummaryAI

CVE-2026-6643 is a stack-based buffer overflow vulnerability (CWE-121) in the VPN Clients component of ASUSTOR Data Master (ADM). The issue originates from the use of unbounded sscanf() and passing user-controlled data directly to printf(), exacerbated by the absence of Position Independent Executable (PIE) and Stack Canary protections. Affected versions span ADM 4.1.0 through 4.3.3.RR42 and ADM 5.0.0 through 5.1.2.REO1. The vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and was published on 2026-04-20.

An authenticated remote attacker can exploit this vulnerability over the network with low attack complexity and without requiring user interaction. Exploitation enables arbitrary code execution with the privileges of the web server user, potentially leading to full compromise of the affected ADM instance given the high-impact scoring across confidentiality, integrity, availability, and scope.

ASUSTOR has published a security advisory detailing the issue, available at https://www.asustor.com/security/security_advisory_detail?id=54, which security practitioners should consult for recommended patches and mitigation steps.

Details

CWE(s): CWE-121

Affected Products

asustor

data master

4.1.0.rhu2 — 4.3.3.RR42 · 5.0.0.ra82 — 5.1.2.reo1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a high-severity stack-based buffer overflow in a network-accessible VPN Clients web component of ADM, enabling authenticated remote arbitrary code execution as the web server user, directly mapping to exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.asustor.com/security/security_advisory_detail?id=54
Vendor Advisory · security@asustor.com