{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-6643","assignerOrgId":"f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77","state":"PUBLISHED","assignerShortName":"ASUSTOR1","dateReserved":"2026-04-20T04:06:43.009Z","datePublished":"2026-04-20T06:34:27.511Z","dateUpdated":"2026-04-20T13:46:07.764Z"},"containers":{"cna":{"providerMetadata":{"orgId":"f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77","shortName":"ASUSTOR1","dateUpdated":"2026-04-20T06:34:27.511Z"},"title":"A stack-based buffer overflow vulnerability in the VPN Clients on the ADM","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-121","description":"CWE-121 Stack-based buffer overflow","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-135","descriptions":[{"lang":"en","value":"CAPEC-135 Format String Injection"}]}],"affected":[{"vendor":"ASUSTOR Inc.","product":"ADM","platforms":["Linux","x86","ARM","64 bit"],"packageName":"VPN Clients","versions":[{"status":"affected","version":"4.1.0","lessThanOrEqual":"4.3.3.RR42","versionType":"custom"},{"status":"affected","version":"5.0.0","lessThanOrEqual":"5.1.2.REO1","versionType":"custom"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"A stack-based buffer overflow vulnerability was found in the VPN Clients on the ADM. The issue stems from the use of unbounded sscanf() and passing user-controlled data directly to printf(). Due to the lack of PIE and Stack Canary protections, an authenticated remote attacker can exploit these to execute arbitrary code as the web server user. \nAffected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.","supportingMedia":[{"type":"text/html","base64":false,"value":"A stack-based buffer overflow vulnerability was found in the VPN Clients on the ADM. The issue stems from the use of unbounded sscanf() and passing user-controlled data directly to printf(). Due to the lack of PIE and Stack Canary protections, an authenticated remote attacker can exploit these to execute arbitrary code as the web server user. <br>Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1."}]}],"references":[{"url":"https://www.asustor.com/security/security_advisory_detail?id=54","tags":["vendor-advisory"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","subConfidentialityImpact":"LOW","vulnIntegrityImpact":"HIGH","subIntegrityImpact":"LOW","vulnAvailabilityImpact":"HIGH","subAvailabilityImpact":"LOW","exploitMaturity":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","version":"4.0","baseSeverity":"HIGH","baseScore":8.6,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L"}}],"credits":[{"lang":"en","value":"YU-XIANG HUANG (mlgzackfly)","type":"finder"}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.1"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2026-6643","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2026-04-20T13:20:51.858306Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-20T13:46:07.764Z"}}]}}