Command injection in ASUSTOR ADM PPTP VPN client enables RCE
TL;DR — A Critical command injection in ASUSTOR ADM’s PPTP VPN Client can let an administrative user reach OS-level remote code execution; if you run ADM, scope exposure and follow ASUSTOR’s upgrade guidance.
What happened
ASUSTOR ADM is the Linux-based operating system and web management layer used on ASUSTOR NAS devices. ASUSTOR published security advisory AS-2026-006 describing CVE-2026-6644, a command injection issue in ADM’s PPTP VPN Client feature.
Per ASUSTOR, the vulnerability is caused by insufficient validation of user-supplied input before it is passed to a system shell, enabling an administrative user to “break out of the restricted web environment and execute arbitrary code on the underlying operating system,” resulting in RCE and full system compromise.
This is the kind of bug that turns an app-layer management surface into an appliance takeover path: once an attacker has admin access (or can obtain it via credential stuffing, password reuse, or a separate auth bug), command injection provides a direct bridge to OS-level control.
Who is impacted
- ASUSTOR NAS deployments running
ADMversions 4.1.0–4.3.3.RR42. - ASUSTOR NAS deployments running
ADMversions 5.0.0–5.1.2.REO1. - Environments where the ADM web admin surface (and PPTP VPN configuration endpoints) are reachable from untrusted networks.
| Product / feature | Affected versions (per ASUSTOR) | Fixed release / availability (per ASUSTOR) |
|---|---|---|
ADM / PPTP VPN Client | 4.1.0 through 4.3.3.RR42 | Listed as Ongoing |
ADM / PPTP VPN Client | 5.0.0 through 5.1.2.REO1 | ADM 5.1.3.RGL1 (or above) |
Notes on patch availability: the advisory states “The issues have been fixed on ADM 5.1.3.RGL1,” while also listing ADM 4.1–4.3 as “Ongoing,” so remediation paths differ by major line.
What to do now
- Follow ASUSTOR’s remediation guidance:
Upgrade to ADM
5.1.3.RGL1or above. - Inventory NAS devices and ADM versions (including any remote/branch-office deployments) and identify whether
PPTP VPN Clientis enabled. - For ADM lines marked “Ongoing” in the advisory, prioritize compensating controls to reduce exploitability until ASUSTOR provides a fixed release for your branch, such as:
- restricting access to the ADM web management interface (VPN, IP allowlisting, admin network segmentation)
- reviewing/locking down administrative accounts (remove unused admins, enforce strong authentication policies supported by your environment)
- disabling PPTP VPN client functionality if it is not required
- If compromise is suspected, treat the NAS as potentially fully compromised (not just the web UI): rotate credentials and keys stored on or accessible from the NAS and review administrative activity.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.