CVE-2026-6644

Received
Published: 20 Apr 2026, 06:54
Last modified:20 Apr 2026, 13:50

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.4 CRITICAL
v4.0 (cve.org)
EPSS Score
0.73% LOW
1% probability
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

20 Apr 2026, 06:54
Published
Vulnerability first disclosed
20 Apr 2026, 13:50
Last Modified
Vulnerability information updated

Description

A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient validation of user-supplied input before it is passed to a system shell. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) and fully compromise the system. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.

CVSS Metrics

  • v4.0CRITICALScore: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
  • v4.0CRITICALScore: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Trends

Current EPSS score: 0.73% Percentile: 73%

Techniques & Countermeasures

  • CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

    The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Affected Systems

  • asustor inc.adm

    ≥ 4.1.0, ≤ 4.3.3.RR42 | ≥ 5.0.0, ≤ 5.1.2.REO1

References (1)