A critical security vulnerability has recently been identified in ASUSTOR’s ADM (ASUSTOR Data Master) operating system, which has significant implications for users relying on this software. The vulnerability, classified under the identifier CVE-2026-6644, is particularly concerning as it resides in the PPTP VPN Client feature, which many organizations and individuals utilize to secure their connections.
The vulnerability has been assigned a high severity score of 9.4 on the CVSS v4.0 scale, indicating its potential for serious exploitation. This OS command injection flaw enables an authenticated administrator to execute arbitrary commands with root privileges. In light of this discovery, ASUSTOR has acted swiftly to rectify the issue, providing a patch in ADM version 5.1.3.RGO1.
Mechanism of Exploitation
According to insights provided by security researcher uky007, the technical origin of the problem can be traced back to the PPTP VPN connection handler located at the file path /portal/apis/settings/vpn.cgi. The issue arises when an administrator inputs a PPTP server address, which the system subsequently writes directly into a pppd configuration file using the pty directive. Unfortunately, the software lacks the necessary input validation measures to properly escape or sanitize this input.
While the system does correctly apply single-quote escaping to its username and password parameters, it neglects the server address, leaving it open to manipulation. This oversight creates a pathway for attackers, as the pppd program executes the pty value within the context of /bin/sh. Consequently, an attacker can exploit this gap to break free from the constrained web interface and execute root-level commands on the underlying operating system.
To demonstrate the severity of this vulnerability, a Python-based Proof of Concept (PoC) script has already been made public, illustrating how this injection can be carried out effectively. However, it is essential to note that the exploit is not a pre-authentication issue; attackers must first obtain administrator access to the ADM management interface to execute their malicious actions.
Default Credential Risks
Despite this requirement, ASUSTOR devices often come outfitted with default credentials (admin/admin). If users neglect to change these default settings, the risk of compromise becomes alarmingly high, as attackers can easily gain access through rudimentary password guessing or exploitation of the default login.
Once an attacker secures root access, they have the ability to take complete control of the NAS device. This level of access not only enables the installation of persistent malware but also provides a means to access sensitive stored data. In worse scenarios, compromised devices can be repurposed into botnets, which could be utilized for Distributed Denial of Service (DDoS) attacks and other forms of proxy abuse.
Threat Landscape and Mitigation Strategies
Analysis from Censys scanning data reveals that there are approximately 19,000 internet-facing hosts associated with ASUSTOR. While these figures indicate the broader footprint of ASUSTOR’s technology, they serve as a stark reminder of the potential target space available for attackers looking for unpatched systems to exploit.
In light of CVE-2026-6644, security teams and NAS administrators are strongly encouraged to adopt a series of defensive measures to mitigate risks. The recommended protective steps include:
- Updating Firmware: Administrators should promptly update their ASUSTOR ADM firmware to version 5.1.3.RGO1 or later to close the vulnerability.
- Changing Default Credentials: It’s crucial for users to alter the default administrator credentials to strong, unique passwords, thereby reducing the risk of unauthorized access.
- Network Restrictions: Users should aim to limit the ADM management interface’s exposure to the open internet, ideally restricting it to trusted internal networks. Where feasible, implementing secure VPN connections can further enhance security.
- Service Management: Disabling unnecessary services running on NAS devices can significantly minimize the overall attack surface, making it more challenging for potential adversaries to exploit.
By taking these recommended steps, users can substantially bolster their defenses against the risks posed by CVE-2026-6644 and safeguard their data and systems from malicious exploits.