Description
A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient validation of user-supplied input before it is passed to a system shell. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) and fully compromise the system.
Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.
Published: 2026-04-20
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a command injection flaw in the PPTP VPN client of the ADM web interface, caused by insufficient validation of user input that is passed to a system shell. An administrative user can exploit this flaw to break out of the restricted web environment, run arbitrary operating‑system commands, and consequently achieve full system compromise through Remote Code Execution, which aligns with CWE‑78.

Affected Systems

ASUSTOR Inc. ADM devices are affected, specifically all builds from ADM 4.1.0 through ADM 4.3.3.RR42 and from ADM 5.0.0 through ADM 5.1.2.REO1.

Risk and Exploitability

The CVSS score of 9.4 indicates critical severity, and although the EPSS score is not available, the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits at this time. However, exploitation would require administrative access to the web interface; an attacker with such access could remotely execute arbitrary code on the underlying operating system, leading to a full compromise of the device and its network.

Generated by OpenCVE AI on April 20, 2026 at 08:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ADM firmware to the latest version that contains the fix for the PPTP VPN client command injection flaw.
  • If the PPTP VPN service is not required, disable it or remove the related packages to eliminate the attack surface.
  • Configure the network firewall to restrict access to the ADM administrative interface to known, trusted IP addresses and enforce strong authentication, thereby limiting the potential for an attacker to reach the vulnerable endpoint.

Generated by OpenCVE AI on April 20, 2026 at 08:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Asustor
Asustor adm
Vendors & Products Asustor
Asustor adm

Mon, 20 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient validation of user-supplied input before it is passed to a system shell. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) and fully compromise the system. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.
Title A command injection vulnerability was found in the PPTP VPN Clients on the ADM
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Asustor Adm
cve-icon MITRE

Status: PUBLISHED

Assigner: ASUSTOR1

Published:

Updated: 2026-04-20T13:50:31.828Z

Reserved: 2026-04-20T04:06:46.522Z

Link: CVE-2026-6644

cve-icon Vulnrichment

Updated: 2026-04-20T13:50:28.511Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T07:16:16.693

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-6644

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T09:00:02Z

Weaknesses