CVE-2026-6644

Name of the Vulnerable Software and Affected Versions ADM versions 4.1.0 through 4.3.3.RR42 ADM versions 5.0.0 through 5.1.2.REO1

Description A command injection issue exists in the PPTP VPN Clients of ASUSTOR ADM. This occurs because user-supplied input is not sufficiently validated before being passed to a system shell, allowing an authenticated administrative user to break out of the restricted web environment and execute arbitrary root-level code on the underlying operating system. Successful exploitation can lead to Remote Code Execution (RCE) and full system compromise. Approximately 14,537 ASUSTOR-related exposed assets have been identified.

Recommendations Update ADM versions 4.1.0 through 4.3.3.RR42 to a patched version. Update ADM versions 5.0.0 through 5.1.2.REO1 to version 5.1.3.RGO1 or 5.1.3.RGL1.