Command Injection Vulnerability in PPTP VPN Clients by ASUSTOR
CVE-2026-6644

9.4CRITICAL

Key Information:

Vendor: Asustor Inc.
Status: Adm
Vendor: CVE Published:; 20 April 2026

🔔 Create Asustor Inc. Vulnerability Alert

What is CVE-2026-6644?

A flaw exists in the PPTP VPN Clients available on ASUSTOR's ADM systems that allows an administrative user to execute arbitrary commands on the operating system. This vulnerability is attributed to inadequate input validation of parameters submitted by the user. If exploited, this vulnerability can enable attackers to escape from the restricted web environment, leading to remote code execution and a complete system compromise. Users of ADM versions 4.1.0 through 4.3.3.RR42 and 5.0.0 through 5.1.2.REO1 should take immediate action to secure their systems.

Affected Version(s)

ADM 4.1.0 <= 4.3.3.RR42

ADM 5.0.0 <= 5.1.2.REO1

References

https://https://www.asustor.com/security/security_advisor...

vendor-advisory

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

uky

CVE-2026-6644 Data

JSON