What is CVE-2026-6644?

CVE-2026-6644 is a critical-severity vulnerability in Asustor Data_master, classified under OS Command Injection. CVSS score: 9.1/10. Published 2026-04-20.

How severe is CVE-2026-6644?

Critical severity. CVSS v3 base score is 9.1 out of 10.

Is CVE-2026-6644 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Asustor Data_master

CVE-2026-6644

A command injection vulnerability was found in the PPTP VPN Clients on the ADM. The vulnerability allows an administrative user to break out of the restricted web environment and execute arbitrary code on the underlying operating system. T…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.004 (57.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.

Affected products

Asustor Data_master
Asustor Inc. Adm — versions 4.1.0, 5.0.0

Weakness classification (CWE)

CWE-78 — OS Command Injection

Public proof-of-concept exploits

uky007/CVE-2026-6644

References

security@asustor.com (vendor-advisory, Broken Link, Vendor Advisory)
134c704f-9b21-4f2e-91b3-4a467353bcc0

Frequently asked questions

What is CVE-2026-6644?: CVE-2026-6644 is a critical-severity vulnerability in Asustor Data_master, classified under OS Command Injection. CVSS score: 9.1/10. Published 2026-04-20.
How severe is CVE-2026-6644?: Critical severity. CVSS v3 base score is 9.1 out of 10.
Is CVE-2026-6644 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.