Contact Us
Blog

CVE-2026-6644 Analysis: Command Injection Vulnerability in ASUSTOR ADM PPTP VPN Client

It analyzes the technical structure and attack flow of CVE-2026-6644 and examines how internet-exposed ASUSTOR ADM management...

A critical command injection vulnerability, CVE-2026-6644, was recently disclosed in ADM (ASUSTOR Data Master), the NAS operating system used by ASUSTOR devices. The vulnerability was found in the PPTP VPN Client feature of ADM and allows an attacker with administrator privileges to break out of the restricted web management environment and execute arbitrary commands on the underlying NAS operating system.

According to ASUSTOR’s security advisory, the vulnerability occurs because user-supplied input is not sufficiently validated before being passed to a system shell. A crafted input value can be written to the pty directive in the pppd configuration file and later executed through /bin/sh, leading to root-level command execution. Affected versions include ADM 4.1.0 through 4.3.3.RR42, as well as ADM 5.0.0 through 5.1.2.REO1. ASUSTOR addressed the issue in ADM 5.1.3.RGO1 and ADM 4.3.3.RSU1.

This article analyzes the technical structure and attack flow of CVE-2026-6644 and examines how internet-exposed ASUSTOR ADM management interfaces can form an attack surface when combined with this vulnerability.

CVE-2026-6644 Vulnerability Overview

ItemDetails
CVE IDCVE-2026-6644
Affected ProductASUSTOR Data Master (ADM)
Affected FeaturePPTP VPN Client
Vulnerability TypeOS Command Injection
CWECWE-78
CVSS Score9.1 Critical (CVSS 3.1), 9.4 Critical (CVSS 4.0)
Affected VersionsADM 4.1.0–4.3.3.RR42, ADM 5.0.0–5.1.2.REO1
Patched VersionsADM 5.1.3.RGO1 or later, ADM 4.3.3.RSU1 or later
Attack RequirementADM administrator authentication required
ImpactRoot-level command execution, full NAS compromise

CVE-2026-6644 is a post-authentication command injection vulnerability in the PPTP VPN Client feature of ADM. An attacker who has administrator access to the ADM management interface can enter a crafted server address during PPTP VPN configuration. If this value is written to the pppd configuration file without proper escaping or validation, pppd can later execute it through /bin/sh, enabling arbitrary command execution.

An important point is that this vulnerability is not a pre-authentication RCE. The attacker must first gain administrator access to the ADM management interface. However, NAS devices are often used as external storage systems, backup servers, media servers, or small business file servers. If the management interface is directly exposed to the internet, or if default or weak administrator credentials are still in use, the practical risk increases significantly. One researcher noted that environments using default administrator accounts or weak passwords may allow internet-exposed ADM management interfaces to become an initial access path.

Technical Cause and Attack Flow

AI-generated image illustrating the PPTP VPN Client command injection structure

The core issue behind CVE-2026-6644 is that user input entered during ADM’s PPTP VPN Client configuration process can be passed into a system command execution path without sufficient validation. The vulnerability occurs in /portal/apis/settings/vpn.cgi. During PPTP VPN configuration, this handler writes the user-supplied server address value to the pty directive in the pppd configuration file. The problem is that this server address value may be reflected into the configuration without proper escaping or input validation.

pppd can process the pty value through /bin/sh. As a result, if an attacker obtains ADM administrator privileges and enters a crafted string into the PPTP server address field, a value that should normally specify a VPN server address can instead be interpreted as a shell command. In this scenario, the attacker can escape the restricted ADM web management environment and execute commands with root privileges on the underlying NAS operating system.

Because this is not a pre-authentication RCE, the attacker must first obtain ADM administrator access. However, if the NAS management page is directly exposed to the internet and default credentials, weak passwords, or leaked credentials are in use, the administrator authentication step may not function as a meaningful barrier. NAS devices often store business documents, backup data, account information, logs, and development assets. Once command execution succeeds, the attack can expand to file theft, backup deletion, ransomware deployment, internal network reconnaissance, backdoor installation, and other follow-on activity.

Ultimately, CVE-2026-6644 is not merely a functional bug in the PPTP VPN Client. When combined with an internet-exposed ADM management interface and weak account management, it can become a command injection path leading to full NAS compromise. The issue is particularly notable because, while certain escaping appears to be applied to the username and password parameters in the same processing flow, the same protection is not applied to the server address value. This makes the vulnerability a case where missing validation on a single input field expands into a critical execution path.

PoC Disclosure and Real-World Attack Potential

CVE-2026-6644 was followed by the publication of technical analysis and a PoC after the patch release. The researcher explained that the disclosed script is not a weaponized exploit that directly attacks ASUSTOR devices. Instead, it is a minimal local reproduction that demonstrates the vulnerable fprintf format and the pppd /bin/sh -c execution flow in Python.

However, the fact that the PoC is a minimal reproduction does not eliminate risk. The vulnerability principle, affected versions, vulnerable function, input field, and execution path have been publicly described in sufficient detail. Attackers could use this information to reconstruct an exploit adapted to real ADM environments.

Although the vulnerability is not a pre-authentication RCE, exploitation becomes more realistic when the following conditions are present:

  • The ADM management interface is directly exposed to the internet
  • Default administrator credentials or weak passwords are in use
  • ADM firmware has not been updated for an extended period
  • The PPTP VPN Client feature is enabled or accessible
  • The NAS is used as a storage system for sensitive internal data

Therefore, the risk of CVE-2026-6644 should not be reduced to “an administrator-only vulnerability.” The actual attack surface depends on the exposure of the management interface, the strength of account security, the role of the NAS in the environment, and the sensitivity of the data stored on the device.

Internet-Exposed ASUSTOR ADM Assets Observed by Criminal IP

To assess the real attack surface of CVE-2026-6644, it is necessary to look beyond the vulnerability itself and identify how many ASUSTOR-related assets are accessible from the internet. ASUSTOR NAS devices often provide web-based management interfaces and HTTPS services, and certificate information used by these devices can serve as a clue for identifying exposed assets.

Criminal IP Asset Search can be used to identify externally exposed assets using ASUSTOR-related certificate information.

Criminal IP Search Query: ssl_issuer_organization: “Asustor”

Criminal IP Asset Search results for exposed ASUSTOR ADM assets

This query searches for assets whose SSL/TLS certificate issuer organization field contains Asustor. In other words, it can be used to identify externally exposed assets that are likely associated with ASUSTOR NAS devices or ASUSTOR-related services. As of May 12, 2026, Criminal IP Asset Search returned 14,537 results for this query.

However, this query is an exploratory query for identifying ASUSTOR-related assets. It does not mean that every asset in the results is vulnerable to CVE-2026-6644. To determine actual vulnerability, additional verification is required, including the ADM version, management interface accessibility, PPTP VPN Client usage, and patch status.

Criminal IP Asset Search analysis of an individual ASUSTOR-related asset

Analysis of an individual asset can provide more concrete evidence that an ASUSTOR-related web service is exposed externally. For example, in one asset, TCP ports 80 and 443 were both open, and the HTTP and HTTPS services returned normal 200 status codes. The service product was identified as Apache, and the page title was shown as Ready to Serve!.

In particular, the HTTP response banner contained the following HTML information:

Copyright (c) 2022 Asustor Inc. All rights reserved.

This indicates that the web service may be associated with an ASUSTOR NAS device or an ASUSTOR-provided default web service. The fact that both HTTP and HTTPS are exposed on the same asset also suggests that external users can directly access the web-based service.

This type of individual asset analysis goes beyond identifying the presence of ASUSTOR-related certificates. It helps determine which ports are open, which web server is responding, and whether default pages or management-page-related strings are exposed. Because CVE-2026-6644 is exploited after administrator authentication, attackers may first use exposed web services like these to identify ASUSTOR assets and then attempt administrator access through credential theft, default credential abuse, or credential reuse.

Patch Status and Mitigation

ASUSTOR disclosed CVE-2026-6644 under security advisory AS-2026-006 and advises users to update ADM 5.x to ADM 5.1.3.RGO1 or later and ADM 4.x to ADM 4.3.3.RSU1 or later. The fix was released for ADM 5.x on April 27, 2026, and for ADM 4.x on May 4, 2026.

Organizations should first update ADM firmware to the latest patched version and review whether ADM management interfaces are exposed externally. Management pages accessible directly from the WAN should be blocked or restricted so that they can only be reached from the internal network or through a trusted VPN. Default administrator accounts, weak passwords, unnecessary PPTP VPN Client functionality, and unused services or ports should also be reviewed and removed where possible.

If administrator account compromise is suspected, organizations should also inspect ADM administrator accounts, certificates and key files stored on the NAS, shared folder permissions, external connection settings, VPN and remote access settings, installed applications, and scheduled tasks. Since NAS devices often store critical business data and backups, response should not stop at patching the vulnerable version. Organizations should also check for possible data exposure, backup tampering, and persistence mechanisms.

FAQ

Q1. Can CVE-2026-6644 be exploited without authentication?

No. CVE-2026-6644 is not a pre-authentication RCE. It is a command injection vulnerability that requires administrator authentication. The attacker must first gain administrator access to the ADM management interface. However, if default credentials, weak passwords, leaked credentials, and an externally exposed management page are present together, the practical likelihood of exploitation increases significantly.

Q2. Why is CVE-2026-6644 rated Critical even though administrator authentication is required?

Even though authentication is required, successful exploitation allows an attacker to execute arbitrary commands with root privileges. NAS devices often store sensitive data and backup files, meaning device compromise can lead directly to data theft, ransomware deployment, and internal network expansion. NVD rates the vulnerability as 9.1 Critical under CVSS 3.1, while ASUSTOR rates it as 9.4 Critical under CVSS 4.0.

Q3. Which versions are affected?

Affected versions include ADM 4.1.0 through 4.3.3.RR42 and ADM 5.0.0 through 5.1.2.REO1. ADM 5.x users should update to ADM 5.1.3.RGO1 or later, and ADM 4.x users should update to ADM 4.3.3.RSU1 or later.

Conclusion

CVE-2026-6644 highlights the importance of securing NAS management interfaces. Although the vulnerability is not a pre-authentication RCE, it allows an attacker with administrator privileges to escape the restricted web environment and execute root-level commands on the NAS operating system. This makes the vulnerability highly severe, especially because NAS devices are often central repositories for organizational files, backups, credentials, and business data.

The root cause of this vulnerability is missing input validation in the PPTP VPN Client feature. However, the real security risk extends beyond a single feature-level flaw. When an externally exposed ADM management interface, unchanged default credentials, delayed firmware updates, and unnecessary VPN functionality are combined, a single command injection vulnerability can become an attack path to full NAS compromise.

Therefore, the starting point for response is not only patching. Organizations must first identify internet-exposed ASUSTOR ADM assets and verify who can access their management interfaces. They should then apply the latest firmware updates, restrict WAN access, strengthen administrator accounts, disable unnecessary services, and review logs and configuration changes.

NAS security is not merely a storage device issue. It is a data protection issue. CVE-2026-6644 shows how an externally exposed management interface and insecure configuration can turn a data storage system into an attacker-controlled execution environment.

In relation to this, you can refer to CVE-2026-42208: LiteLLM SQL Injection Vulnerability Targeting AI Gateways.

You can subscribe to Criminal IP (criminalip.io/register) and start detecting vulnerable assets right away. You can also request a demo using the button below and explore Criminal IP’s threat intelligence (TI) analysis of externally exposed assets at the enterprise level.


This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.

Source: Criminal IP(https://www.criminalip.io/ko), NIST(https://nvd.nist.gov/vuln/detail/CVE-2026-6644), GitHub uky007 CVE-2026-6644(https://github.com/uky007/CVE-2026-6644), GitHub Advisory Database GHSA-32w9-6rwg-p96w(https://github.com/advisories/GHSA-32w9-6rwg-p96w)

Related Article: https://www.criminalip.io/ko/knowledge-hub/blog/34580