A critical vulnerability, tracked as CVE-2026-6644, has been uncovered in ASUSTOR’s ADM (ASUSTOR Data Master) operating system. Specifically, the flaw exists within the PPTP VPN Client feature.
Carrying a CVSS v4.0 score of 9.4, this OS command injection vulnerability allows an authenticated administrator to execute arbitrary commands with root privileges. ASUSTOR has since addressed the flaw in ADM version 5.1.3.RGO1.
How the Exploit Works
According to the Security Reasearcher uky007, the technical root of the problem lies in the PPTP VPN connection handler located at /portal/apis/settings/vpn.cgi.
When an administrator inputs a PPTP server address, the system writes this parameter directly into a pppd configuration file using the pty directive.
Detailed Vulnerability (Source: Github)
Unfortunately, the software fails to escape or sanitize this specific input properly. While the system correctly applies single-quote escaping to the username and password parameters, it completely misses the server address.
Because pppd executes the pty value through /bin/sh, an attacker can manipulate the server address to break out of the restricted web interface and run root-level commands on the underlying OS. A Python-based Proof of Concept (PoC) script demonstrating this injection has already been disclosed.
It is important to note that this is not a pre-authentication exploit; the attacker must first gain administrator access to the ADM management interface.
However, ASUSTOR devices ship with default credentials (admin/admin). If users fail to change these defaults, the barrier to entry becomes perilously low for attackers.
Once a threat actor achieves root access, they gain full control over the NAS device. This level of compromise allows attackers to install persistent malware, access sensitive stored data, or conscript the hardware into botnets for Distributed Denial of Service (DDoS) attacks and proxy abuse.
Device Exposure and Mitigation
According to Censys scanning data, there is an upper bound of approximately 19,000 internet-facing hosts associated with ASUSTOR.
Censys-based upper-bound estimate of internet-facing ASUSTOR-related hosts. This is not the number of confirmed vulnerable devices. (Source: Github)
While this number reflects the total ASUSTOR footprint rather than confirmed vulnerable devices, it highlights a broad target space for threat actors scanning for unpatched hardware.
To protect against CVE-2026-6644, security teams and NAS administrators should immediately implement the following security measures:
- Update ASUSTOR ADM firmware to version 5.1.3.RGO1 or later.
- Change the default administrator credentials to a strong, unique password.
- Prevent the ADM management interface from being directly exposed to the open internet.
- Limit management access exclusively to trusted internal networks or require a secure VPN connection.
- Disable unnecessary services running on the NAS device to reduce the overall attack surface.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
