Critical severity9.1NVD Advisory· Published Apr 20, 2026· Updated Apr 30, 2026

CVE-2026-6644

Description

A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient validation of user-supplied input before it is passed to a system shell. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) and fully compromise the system. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.

Affected products

Asustor/Data Master
cpe:2.3:o:asustor:data_master:*:*:*:*:*:*:*:*
Range: >=4.1.0.rhu2,<4.3.3.RR42

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

https//www.asustor.com/security/security_advisory_detailnvdBroken LinkVendor Advisory
uky007.github.io/CVE-2026-6644/nvd

News mentions

No linked articles in our index yet.

cvss	0.591
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000