ASUSTOR Issues Critical Patch: Command Injection Vulnerability Threatens ADM Users
Ddos 
ASUSTOR has issued an urgent security advisory regarding a high-severity command injection vulnerability impacting its ASUSTOR Data Master (ADM) operating system. Identified as CVE-2026-6644, this flaw carries a CVSS score of 9.4, signaling a critical risk to Network Attached Storage (NAS) users.
The vulnerability is rooted in the PPTP VPN Client component of the ADM interface. Due to insufficient validation of user-supplied input, the system fails to properly sanitize data before passing it to a system shell.
This oversight creates a dangerous opening:
- Escaping Restrictions: An administrative user can break out of the restricted web-based management environment.
- Remote Code Execution (RCE): Attackers can execute arbitrary code directly on the underlying operating system.
- Full System Compromise: Successful exploitation grants the attacker complete control over the affected NAS device.
The flaw spans multiple generations of the ADM software, leaving a significant portion of the user base vulnerable until patches are applied.
| Product | Severity | Fixed Release Availability |
|---|---|---|
| ADM 5.0 | Important | Upgrade to ADM 5.1.3.RGL1 or above |
| ADM 4.3, ADM 4.2 and 4.1 | Important | Ongoing |
ASUSTOR characterizes this vulnerability as an “Important” threat to system integrity. Users on the ADM 5.0 branch should prioritize upgrading to version 5.1.3.RGL1 immediately to close the exploit path.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
