External risk intelligence

Asustor Data Master can be fully compromised by attackers

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-6644

An internal attacker with administrative access to ADM could modify VPN settings to take full control of the system. This level of access could allow them to plant backdoors or steal sensitive files, potentially resulting in a complete compromise of the device.

2Halo Surface Signal

OS Command Injection

Asustor Data Master

4.1.0.rhu2 to before 4.3.3.RR425.0.0.ra82 to before 5.1.2.reo1

External exposure likelihood

Halo Surface Signal score for CVE-2026-6644

The vulnerability resides within an administrative management interface typically hosted on a local network. While users sometimes expose these interfaces to the internet, it is not the default or intended configuration. Because the attack requires pre-existing administrative authentication, the interface is typically shielded by internal network controls.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A command injection vulnerability in ASUSTOR Data Master allows an authenticated administrator to execute arbitrary code on the system. This happens because the system does not properly check user-provided input before sending it to system commands, potentially leading to a full compromise.

  • Allows code execution.
  • Affects administrative users.
  • Requires administrative access.

Attack Path

How an attacker could exploit the issue

An authenticated administrator could exploit this by submitting crafted input to the PPTP VPN client. This input would bypass security checks, allowing for code execution on the underlying operating system.

  • Requires administrative access.
  • Targets PPTP VPN client input.
  • Unrestricted command execution.

Live Threat

Current exploitation, exposure, and threat context

Attackers may be interested in this command injection vulnerability, as it allows for remote code execution. However, the requirement for administrative privileges significantly limits its broad appeal. Exploitation is less likely if the affected management interface is not exposed externally, which is a common security practice.

  • Exploitation requires admin credentials.
  • No public exploit code observed.
  • Limited public discussion.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate patching of ADM versions 4.1.0 through 4.3.3.RR42 and 5.0.0 through 5.1.2.REO1, as this command injection vulnerability allows for full system compromise via RCE. If patching is delayed, investigate all administrative user accounts for suspicious activity and segment affected devices from critical internal networks.

  • Patch to resolved versions.
  • Restrict administrative access.
  • Monitor logs for unauthorized commands.

Frequently asked questions

What is ASUSTOR Data Master (ADM)?

ASUSTOR Data Master (ADM) is the operating system for ASUSTOR NAS devices. It provides a user-friendly interface for managing files, sharing data across different operating systems, and running various applications for backup, multimedia, and more.

What kind of weakness does CVE-2026-6644 represent?

CVE-2026-6644 is a command injection vulnerability, specifically classified as CWE-78. This means it involves improper handling of special characters in operating system commands, allowing them to be manipulated to execute unintended commands.

What are the preconditions for exploiting CVE-2026-6644?

An attacker must have administrative privileges and network access to the ASUSTOR Data Master's web interface. The vulnerability is triggered when user-supplied input in the PPTP VPN client configuration is not properly validated before being used in system shell commands.

Who is most affected by this vulnerability, and why?

Organizations using affected versions of ASUSTOR Data Master (ADM) should be concerned. Since the vulnerability requires administrative access, it's less likely to be exploited by external attackers without prior compromise. However, if an attacker gains administrative control, they can execute arbitrary code.

What is the immediate first step for managing this threat?

The primary action is to update ASUSTOR Data Master to a patched version as soon as possible. If immediate patching isn't feasible, consider disabling the PPTP VPN client functionality if it's not actively needed and review administrative access controls.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified