CVE-2026-6644CRITICAL 9.1EPSS p70.0%

CVE-2026-6644CVE-2026-6644

Description

A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. This occurs due to insufficient validation of user-supplied input before it is passed to a system shell. Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) and fully compromise the system. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS1.45% probability of exploitation · percentile 70.0% · 2026-06-19T12:03:05Z
Published2026-04-20
Last modified2026-04-30

Underlying weaknesses· 1

CWE-78

References

  1. https://https://www.asustor.com/security/security_advisory_detail?id=55
  2. https://uky007.github.io/CVE-2026-6644/

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-6643
CVE
CVE-2026-44866
CVE
CVE-2026-44867
CVE
CVE-2026-44869
CVE
CVE-2026-44868
CVE
CVE-2026-50206
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.