Exploit Exposed: Public PoC Disclosed for Critical Root RCE in ASUSTOR ADM (CVE-2026-6644)

A critical vulnerability was found in ASUSTOR ADM, the operating system powering ASUSTOR’s Network Attached Storage (NAS) devices. Discovered and reported by security researcher uky, the flaw—tracked as CVE-2026-6644—grants an authenticated administrator the ability to seize total control of the underlying system.

The full technical details of the vulnerability and a functional proof-of-concept (PoC) exploit have been made available to the public.

The flaw resides within the PPTP VPN Client feature of the ASUSTOR ADM interface. Specifically, the vulnerability is located in the /portal/apis/settings/vpn.cgi endpoint. According to the researcher’s findings, the “PPTP server address parameter is written into a pppd configuration file’s pty directive without proper escaping or sanitization”.

This lack of sanitization is the critical failure point. Because the system’s pppd daemon “executes the pty value through /bin/sh,” an attacker can inject additional shell commands into the server address field. When the system attempts to process the VPN configuration, it inadvertently executes those injected commands with root privileges.

Using internet-wide scanning via Censys, researchers identified a “significant number of internet-facing hosts potentially associated with ASUSTOR”. An upper-bound estimate suggests as many as 19,000 hosts could be exposed to the internet.

While not all of these hosts are necessarily running the vulnerable configuration, the high number of internet-accessible devices underscores the potential reach of a root-level exploit once the technical details are in the wild.

ASUSTOR has responded by releasing an emergency firmware update. Users must take immediate action to secure their NAS hardware.

• Update Immediately: The vulnerability has been resolved in ADM 5.1.3.RGO1. All users should update to this version or later.
• Restrict Access: ASUSTOR advises users to “restrict management interface access from the WAN” to prevent remote attackers from reaching the login page.
• Strong Authentication: Ensure all administrator accounts are protected with strong, unique passwords to prevent unauthorized access to the VPN settings menu.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.