We use cookies to help us improve our webpage. Please read our Cookie Policy .

ASUSTOR Product Security Advisory

AS-2026-006: PPTP VPN Clinet

2026-04-20

Severity

Important

Status

Ongoing

Statement

A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient validation of user-supplied input before it is passed to a system shell. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) and fully compromise the system.
Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.

  • The issues have been fixed on ADM 5.1.3.RGL1.

Affected Products

Product Severity Fixed Release Availability
ADM 5.0 Important Upgrade to ADM 5.1.3.RGL1 or above
ADM 4.3, ADM 4.2 and 4.1 Important Ongoing

Detail

  • CVE-2026-6644
    • Severity: Critical
    • CVSS4 Base Score: 9.4
    • CVSS4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
    • A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient validation of user-supplied input before it is passed to a system shell. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) and fully compromise the system. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.

Reference

Acknowledgement

uky


Revision

Revision Date Description
1 2026-04-20 Initial public release.
2 2026-04-20 CVE ID (CVE-2026-6644) is assigned for the issue.
3 2026-04-22 ADM 5.1.3.RGL1 have been released for fixing the issues.