Critical OS Command Injection Vulnerability (CVE-2026-6644) in ASUSTOR ADM

A high-severity security flaw has been identified within the ASUSTOR Data Master (ADM) operating system, posing a significant risk to Network Attached Storage (NAS) deployments. Tracked as CVE-2026-6644, this vulnerability targets the PPTP VPN Client functionality, allowing for complete system compromise under specific conditions.

With a staggering CVSS v4.0 score of 9.4, this is not a minor bug; it is a critical OS command injection flaw. If exploited, an authenticated administrator can bypass standard application constraints to execute arbitrary commands with root privileges—the highest level of authority on the system. Fortunately, ASUSTOR has proactively released a patch in ADM version 5.1.3.RGO1 to mitigate this risk.

Technical Analysis: How the Injection Occurs

The architectural weakness resides in how the system handles network configuration parameters. Detailed research by security analyst uky007 points to the PPTP VPN connection handler, located at the endpoint /portal/apis/settings/vpn.cgi, as the primary vector.

The vulnerability stems from a failure in input validation and sanitization logic. When a user configures a PPTP connection, the system takes the provided “server address” and writes it directly into a pppd (Point-to-Point Protocol Daemon) configuration file using the pty directive.

Technical breakdown of the CVE-2026-6644 vulnerability
Technical breakdown of the vulnerability flow (Source: uky007/GitHub)

In a classic case of inconsistent sanitization, the ADM software appropriately applies single-quote escaping to the username and password fields, but it neglects to perform any sanitization on the server address field. Because pppd invokes the pty value through /bin/sh, an attacker can craft a malicious server address containing shell metacharacters. This allows them to “break out” of the intended configuration string and execute system-level commands.

While a Python-based Proof of Concept (PoC) has been disclosed, it is worth noting that this is an authenticated vulnerability. An attacker must first possess administrator credentials to reach the vulnerable endpoint. However, this defense-in-depth layer is often bypassed in real-world scenarios because many ASUSTOR devices are deployed with factory-default credentials (such as admin/admin), making the exploitation path deceptively simple for automated bots.

The Impact of Root-Level Compromise

Once an attacker achieves root execution, the security boundary of the NAS effectively vanishes. The implications include:

  • Data Exfiltration: Unrestricted access to all sensitive files, backups, and intellectual property stored on the drives.
  • Persistence: The ability to install rootkits or backdoors that survive reboots and firmware updates.
  • Botnet Recruitment: Utilizing the NAS hardware for large-scale Distributed Denial of Service (DDoS) attacks or as a proxy for malicious traffic.

Exposure Landscape and Mitigation Strategy

Data from Censys scanning engines suggests an upper-bound estimate of approximately 19,000 internet-facing hosts associated with ASUSTOR. While this represents the total reachable footprint rather than a confirmed count of vulnerable units, it underscores the massive scale of the potential attack surface.

Censys scanning data showing ASUSTOR footprint
Upper-bound estimate of internet-facing ASUSTOR hosts via Censys. (Source: uky007/GitHub)

To secure your environment against CVE-2026-6644, we recommend a multi-layered defense approach:

  • Immediate Patching: Update your ASUSTOR ADM firmware to version 5.1.3.RGO1 or the latest available version immediately.
  • Credential Hygiene: Replace all default administrator credentials with complex, unique passwords managed via a secure vault.
  • Network Edge Security: Avoid exposing the ADM management interface directly to the public internet. Instead, use a firewall or a trusted VPN to gatekeep access.
  • Access Control: Restrict management interface access to specific, trusted internal IP ranges.
  • Attack Surface Reduction: Audit and disable any unnecessary services or protocols (like PPTP, if not strictly required) to minimize the available entry points for attackers.

Related Articles

Back to top button