Cyber Posture

CVE-2026-6644

Critical

Published: 20 April 2026

Published
20 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0036 58.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due…

more

to insufficient validation of user-supplied input before it is passed to a system shell. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) and fully compromise the system. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of user-supplied inputs before processing, addressing the root cause of command injection in PPTP VPN Clients.

SI-2 Flaw Remediation good match
prevent

Mandates identification, reporting, and correction of the specific command injection flaw in affected ADM versions via patching.

AC-6 Least Privilege partial match
prevent

Enforces least privilege for administrative users and web processes, limiting the scope and impact of RCE breakout to the underlying OS.

Security SummaryAI

CVE-2026-6644 is a command injection vulnerability (CWE-78) in the PPTP VPN Clients on the ADM, stemming from insufficient validation of user-supplied input before it is passed to a system shell. This flaw enables an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. Affected products include ADM versions from 4.1.0 through 4.3.3.RR42, as well as from 5.0.0 through 5.1.2.REO1. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and was published on 2026-04-20.

The attack requires privileged access as an administrative user (PR:H) and can be carried out remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants remote code execution (RCE), allowing full compromise of the system through arbitrary code execution on the host operating system, with changed scope (S:C) and high impact across confidentiality, integrity, and availability.

Advisories providing further details, including potential patches and mitigation guidance, are available from ASUSTOR at https://https://www.asustor.com/security/security_advisory_detail?id=55 and an independent analysis at https://uky007.github.io/CVE-2026-6644/.

Details

CWE(s)
CWE-78

Affected Products

asustor
data master
4.1.0.rhu2 — 4.3.3.RR42 · 5.0.0.ra82 — 5.1.2.reo1

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

Command injection in web management interface enables exploitation of remote service (T1210) for Unix shell execution (T1059.004) and privilege escalation from admin web context to OS RCE (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References