Cyber Resilience

CVE-2026-6644

CriticalRCE

Published: 20 April 2026

Published
20 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0145 70.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-6644 is a critical-severity OS Command Injection (CWE-78) vulnerability in Asustor Data Master. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 30.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6644 is a command injection vulnerability (CWE-78) in the PPTP VPN Clients on the ADM, stemming from insufficient validation of user-supplied input before it is passed to a system shell. This flaw enables an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. Affected products include ADM versions from 4.1.0 through 4.3.3.RR42, as well as from 5.0.0 through 5.1.2.REO1. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and was published on 2026-04-20.

The attack requires privileged access as an administrative user (PR:H) and can be carried out remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants remote code execution (RCE), allowing full compromise of the system through arbitrary code execution on the host operating system, with changed scope (S:C) and high impact across confidentiality, integrity, and availability.

Advisories providing further details, including potential patches and mitigation guidance, are available from ASUSTOR at https://https://www.asustor.com/security/security_advisory_detail?id=55 and an independent analysis at https://uky007.github.io/CVE-2026-6644/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due…

more

to insufficient validation of user-supplied input before it is passed to a system shell. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) and fully compromise the system. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Command injection in web management interface enables exploitation of remote service (T1210) for Unix shell execution (T1059.004) and privilege escalation from admin web context to OS RCE (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3179Same product: Asustor Data Master
CVE-2026-24936Same product: Asustor Data Master
CVE-2026-6643Same product: Asustor Data Master
CVE-2026-34792Shared CWE-78
CVE-2025-45378Shared CWE-78
CVE-2026-34005Shared CWE-78
CVE-2021-47745Shared CWE-78
CVE-2021-47747Shared CWE-78
CVE-2018-25143Shared CWE-78
CVE-2025-64120Shared CWE-78

Affected Assets

asustor
data master
4.1.0.rhu2 — 4.3.3.RR42 · 5.0.0.ra82 — 5.1.2.reo1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied inputs before processing, addressing the root cause of command injection in PPTP VPN Clients.

prevent

Mandates identification, reporting, and correction of the specific command injection flaw in affected ADM versions via patching.

prevent

Enforces least privilege for administrative users and web processes, limiting the scope and impact of RCE breakout to the underlying OS.

References