A critical OS command injection vulnerability (CVE-2026-6644) has been disclosed in the PPTP VPN Client of ASUSTOR ADM, the operating system powering ASUSTOR NAS devices.
Rated Critical with a CVSS v4.0 Base Score of 9.4, the now-patched zero-day allows an authenticated administrator to execute arbitrary commands with root privileges on the underlying operating system, enabling full system compromise.
CVE-2026-6644 is an authenticated OS command injection vulnerability residing in /portal/apis/settings/vpn.cgi, the PPTP VPN connection handler within ASUSTOR ADM.
The flaw was identified and responsibly disclosed as a zero-day, meaning no public information existed at the time of discovery, and has since been fixed by ASUSTOR in firmware version ADM 5.1.3.RGO1.
The vulnerability impacts a wide range of ADM firmware releases:
- ADM 4.1.0 through 4.3.3.RR42
- ADM 5.0.0 through 5.1.2.REO1
ASUSTOR formally addressed the issue under security advisory AS-2026-006, urging all ADM users to apply the patch immediately.
CVE-2026-6644: Critical RCE in ASUSTOR ADM NAS
At its core, CVE-2026-6644 is an implementation oversight in how the PPTP VPN connection handler processes user-supplied input. The PPTP server address parameter passed to /portal/apis/settings/vpn.cgi is directly written into a pppd configuration file’s pty directive using fprintf without any input escaping or sanitization applied.
Since pppd executes the value of the pty directive via /bin/sh a malicious PPTP server address string can escape the restricted web environment and execute arbitrary shell commands with root privileges. The attack chain is straightforward:
- Attacker authenticates to the ADM management interface
- Supplies a crafted PPTP server address containing shell metacharacters
- The malicious string is written unescaped into the
pppdptyconfiguration pppdpasses the value to/bin/sh -c, triggering root-level command execution
A critical detail in the code analysis reveals a selective escaping failure: the same handler function correctly applies single-quote escaping to the username (acc) and password (pass) parameters but entirely omits this protection for the server address field, exposing the injection path.
A proof-of-concept (PoC) exploit script (poc_CVE-2026-6644_pptp_injection.py) has been publicly released, serving as a minimal local reproducer that demonstrates the vulnerable fprintf format and /bin/sh -c execution pipeline.
While CVE-2026-6644 is not a pre-authentication RCE, it requires valid administrator credentials. The real-world threat surface is considerably wider than it may initially appear.
ASUSTOR ADM ships with the default credential pair admin/admin, meaning any environment that has not changed the default password is trivially accessible to any attacker who can reach the management interface. Once an attacker gains administrative access, this vulnerability unlocks a full spectrum of post-exploitation capabilities:
- Malware installation and persistent backdoors
- Sensitive data exfiltration from NAS storage
- DDoS infrastructure deployment
- Residential proxy network abuse
- Ransomware staging and lateral movement
Internet exposure analysis using Censys identified approximately 19,000 internet-facing hosts associated with ASUSTOR, representing an upper-bound estimate of the number of globally exposed assets.
This figure is not the count of confirmed vulnerable devices; it includes hosts running patched firmware, non-PPTP configurations, or unaffected versions, but it underscores the substantial attack surface that NAS management interfaces present when exposed to the public internet.
| Metric | Value |
|---|---|
| CVE ID | CVE-2026-6644 |
| Severity | Critical |
| CVSS v4.0 Base Score | 9.4 |
| Attack Vector | Network |
| Authentication Required | Yes (Admin) |
| Impact | Full System Compromise (RCE as Root) |
| Patch Available | Yes – ADM 5.1.3.RGO1 |
Affected Versions
The vulnerability affects ASUSTOR ADM versions 4.1.0 through 4.3.3.RR42 and 5.0.0 through 5.1.2.REO1. ASUSTOR released the fix in ADM 5.1.3.RGO1, and users on both the ADM 4.x and 5.x branches are strongly advised to upgrade without delay.
Mitigation
ASUSTOR ADM administrators must take the following actions immediately to reduce exposure:
- Update to ADM 5.1.3.RGO1 or later is the only complete remediation
- Block WAN access to the ADM management interface, never expose NAS management to the public internet
- Replace the default credentials with a change
admin/adminto a strong, unique password immediately - Administer over VPN using a trusted internal network
- Turn off the PPTP VPN service if it is not actively required
- Disable all unused services to minimize the NAS attack surface
According to this Uky007 advisory, devices that store sensitive organizational or personal data should never have their management interfaces exposed to the internet without VPN-gated access controls.
FAQ
Q1: Is CVE-2026-6644 a pre-authentication vulnerability?
No, it requires valid administrator credentials to exploit, though default admin/admin credentials make it trivially reachable in unpatched environments.
Q2: Which ASUSTOR ADM versions are affected?
ADM 4.1.0 through 4.3.3.RR42 and ADM 5.0.0 through 5.1.2.REO1 are vulnerable; upgrade to ADM 5.1.3.RGO1 to be protected.
Q3: Has a public PoC exploit been released for CVE-2026-6644?
Yes, a public proof-of-concept script was released after the patch, demonstrating the OS command injection via the pppd pty directive.
Q4: How many ASUSTOR devices are exposed to the internet?
Censys analysis estimates approximately 19,000 internet-facing ASUSTOR-related hosts as an upper-bound exposure estimate, not all of which are confirmed to be vulnerable.
Site: https://thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
