CVE-2026-6644
Published: 20 April 2026
Summary
CVE-2026-6644 is a critical-severity OS Command Injection (CWE-78) vulnerability in Asustor Data Master. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 41.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of user-supplied inputs before processing, addressing the root cause of command injection in PPTP VPN Clients.
Mandates identification, reporting, and correction of the specific command injection flaw in affected ADM versions via patching.
Enforces least privilege for administrative users and web processes, limiting the scope and impact of RCE breakout to the underlying OS.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in web management interface enables exploitation of remote service (T1210) for Unix shell execution (T1059.004) and privilege escalation from admin web context to OS RCE (T1068).
NVD Description
A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due…
more
to insufficient validation of user-supplied input before it is passed to a system shell. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) and fully compromise the system. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.
Deeper analysisAI
CVE-2026-6644 is a command injection vulnerability (CWE-78) in the PPTP VPN Clients on the ADM, stemming from insufficient validation of user-supplied input before it is passed to a system shell. This flaw enables an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. Affected products include ADM versions from 4.1.0 through 4.3.3.RR42, as well as from 5.0.0 through 5.1.2.REO1. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and was published on 2026-04-20.
The attack requires privileged access as an administrative user (PR:H) and can be carried out remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants remote code execution (RCE), allowing full compromise of the system through arbitrary code execution on the host operating system, with changed scope (S:C) and high impact across confidentiality, integrity, and availability.
Advisories providing further details, including potential patches and mitigation guidance, are available from ASUSTOR at https://https://www.asustor.com/security/security_advisory_detail?id=55 and an independent analysis at https://uky007.github.io/CVE-2026-6644/.
Details
- CWE(s)