CVE-2026-6644 CRITICAL

CVE-2026-6644: A command injection vulnerability was found in the PPTP VPN Clients on the ADM

Vendor Asustor Inc.

Product ADM

Weakness CWE-78

Published April 20, 2026

Last update April 30, 2026

View on NVD All CVEs

CVSS base score

9.4/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient validation of user-supplied input before it is passed to a system shell. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) and fully compromise the system. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.

Key dates

02Disclosure timeline

April 20, 2026 CVE published

April 30, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-6644 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

Identifiers

CVE CVE-2026-6644

CWE CWE-78

CVSS 9.4 / CRITICAL

Affected versions

Vendor Asustor Inc.

Product ADM

Affected ≥ 4.1.0 and ≤ 4.3.3.RR42

Vendor Asustor Inc.

Product ADM

Affected ≥ 5.0.0 and ≤ 5.1.2.REO1

CVE-2026-6644: A command injection vulnerability was found in the PPTP VPN Clients on the ADM

01Description

02Disclosure timeline

03References

04Related CVE