ASUSTOR: PoC Released for Critical ASUSTOR ADM Root RCE Vulnerability

Critical Zero-Day Exploit in ASUSTOR ADM PPTP VPN Client Exposes NAS Devices to Root-Level Attacks

A proof-of-concept (PoC) exploit has been released for CVE-2026-6644, a now-patched critical zero-day vulnerability in ASUSTOR’s ADM PPTP VPN Client. The flaw, rated 9.4 (Critical) under CVSS v4.0, allows authenticated administrators to execute arbitrary commands with root privileges on vulnerable NAS devices.

The vulnerability stems from an OS command injection flaw in /portal/apis/settings/vpn.cgi, where the PPTP server address parameter is written directly into a pppd configuration file without proper input validation. Since pppd executes the parameter via /bin/sh, a malicious server address can break out of the web environment, enabling root-level command execution.

While the flaw requires administrator authentication, its risk is heightened by ASUSTOR’s default credentials (admin/admin), making unpatched systems trivially exploitable. Successful exploitation could lead to full system compromise, including malware deployment, data exfiltration, DDoS infrastructure setup, and persistence mechanisms.

Affected Versions

The vulnerability impacts multiple ADM firmware releases:

• ADM 4.1.0 – 4.3.3.RR42
• ADM 5.0.0 – 5.1.2.REO1

Attack Surface & Exposure

Internet scans reveal approximately 19,000 internet-facing ASUSTOR NAS hosts, though not all may be vulnerable or actively exploited. The public PoC increases the urgency for remediation.

Patch & Mitigations

ASUSTOR released a fix in ADM 5.1.3.RGO1 under security advisory AS-2026-006. Recommended actions include:

• Updating to ADM 5.1.3.RGO1 or later
• Blocking WAN access to the ADM management interface
• Changing default credentials
• Disabling unused services, including PPTP VPN
• Restricting administration to trusted VPN networks

Given the severity and public exploit availability, affected deployments should prioritize patching.

Source: https://cyberpress.org/poc-released-asustor-adm-root-rce/

ASUSTOR Inc. cybersecurity rating report: https://www.rankiteo.com/company/asustor-inc-

"id": "ASU1777551827",
"linkid": "asustor-inc-",
"type": "Vulnerability",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'customers_affected': 'Approximately 19,000 '
                                              'internet-facing ASUSTOR NAS '
                                              'hosts (potentially vulnerable)',
                        'industry': 'Data Storage/NAS Devices',
                        'name': 'ASUSTOR',
                        'type': 'Technology Company'}],
 'attack_vector': 'OS Command Injection',
 'data_breach': {'data_exfiltration': 'Potential data exfiltration'},
 'description': 'A proof-of-concept (PoC) exploit has been released for '
                'CVE-2026-6644, a now-patched critical zero-day vulnerability '
                'in ASUSTOR’s ADM PPTP VPN Client. The flaw allows '
                'authenticated administrators to execute arbitrary commands '
                'with root privileges on vulnerable NAS devices due to an OS '
                'command injection in `/portal/apis/settings/vpn.cgi`. The '
                'vulnerability is exacerbated by ASUSTOR’s default credentials '
                '(`admin/admin`), making unpatched systems trivially '
                'exploitable. Successful exploitation could lead to full '
                'system compromise, malware deployment, data exfiltration, '
                'DDoS infrastructure setup, and persistence mechanisms.',
 'impact': {'data_compromised': 'Potential data exfiltration',
            'operational_impact': 'Full system compromise, malware deployment, '
                                  'DDoS infrastructure setup, persistence '
                                  'mechanisms',
            'systems_affected': 'ASUSTOR NAS devices running vulnerable ADM '
                                'versions'},
 'post_incident_analysis': {'corrective_actions': 'Patch released in ADM '
                                                  '5.1.3.RGO1',
                            'root_causes': 'OS command injection in '
                                           '`/portal/apis/settings/vpn.cgi` '
                                           'due to improper input validation '
                                           'in PPTP server address parameter'},
 'recommendations': ['Update to ADM 5.1.3.RGO1 or later',
                     'Block WAN access to the ADM management interface',
                     'Change default credentials',
                     'Disable unused services, including PPTP VPN',
                     'Restrict administration to trusted VPN networks'],
 'references': [{'source': 'ASUSTOR Security Advisory'}],
 'response': {'containment_measures': ['Updating to ADM 5.1.3.RGO1 or later',
                                       'Blocking WAN access to the ADM '
                                       'management interface',
                                       'Changing default credentials',
                                       'Disabling unused services, including '
                                       'PPTP VPN',
                                       'Restricting administration to trusted '
                                       'VPN networks'],
              'remediation_measures': 'Patch released in ADM 5.1.3.RGO1 '
                                      '(AS-2026-006)'},
 'title': 'Critical Zero-Day Exploit in ASUSTOR ADM PPTP VPN Client Exposes '
          'NAS Devices to Root-Level Attacks',
 'type': 'Zero-Day Exploit',
 'vulnerability_exploited': 'CVE-2026-6644'}