Asustor ADM PPTP VPN Client Command Injection Vulnerability Allowing Remote Code Execution

Vulnerability

A command injection vulnerability has been identified in the PPTP VPN clients on Asustor's ADM operating system. This vulnerability enables an administrative user to escape the confined web environment and execute arbitrary code on the underlying operating system. The issue arises from inadequate validation of user-supplied input before it is transmitted to a system shell. Successful exploitation of this vulnerability allows an attacker to achieve remote code execution and gain full control over the system. The vulnerability affects Asustor ADM versions 4.1.0 through 4.3.3.RR42, as well as 5.0.0 through 5.1.2.REO1.

Impact

Exploitation of this vulnerability leads to remote code execution on the affected system, allowing an attacker to execute arbitrary code with the same privileges as the user running the PPTP VPN client.

Added: Apr 20, 2026, 7:18 AM

Updated: Apr 20, 2026, 7:18 AM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

7.5

exploitability

4.8

remediation

0.0

relevance

6.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

7.5

exploitability

4.8

remediation

0.0

relevance

6.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Asustor ADM PPTP VPN Client Command Injection Vulnerability Allowing Remote Code Execution

Vulnerability

Impact

Affected Products

Asustor ADM

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating