cbcvebase.
CVE-2020-35665
published 2020-12-23

CVE-2020-35665: An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
78.14%
99.5th percentile
An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation.

Affected

1 ranges
VendorProductVersion rangeFixed in
terra-masterterramaster_operating_system<= 4.2.06

Detection & IOCsextracted from sources · hover to see the quote

pathinclude/makecvs.php
port8181
url/include/makecvs.php?Event=
path/usr/www/
commandbash -c "{echo,<base64_payload>}|{base64,-d}|{bash,-i}"
commandhttp|echo "" >> /usr/www/<random>.php && chmod +x /usr/www/<random>.php||
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible TerraMaster TOS RCE Inbound (CVE-2020-28188 CVE-2020-35665)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/makecvs.php?Event="; fast_pattern; pcre:"/(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; http.uri.raw; content:"%20"; reference:url,research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/; reference:cve,2020-28188; reference:cve,2020-35665; classtype:attempted-admin; sid:2031535; rev:3; metadata:attack_target Server, created_at 2021_01_21, cve CVE_2020_28188, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_11_18;)
  • Detect unauthenticated GET requests to /include/makecvs.php with an Event parameter containing shell metacharacters (backtick, semicolon, pipe, ampersand, URL-encoded equivalents %60, %3b, %7c, %26) and a URL-encoded space (%20).
  • Monitor for unexpected .php file creation under /usr/www/ on TerraMaster devices, which is the web shell drop location used by the exploit.
  • Monitor for POST requests to randomly named .php files under the web root immediately following a GET to /include/makecvs.php — this is the two-stage web shell upload and execution pattern used by the exploit.
  • Check the /version endpoint response for TerraMaster TOS version 4.2.06 or lower; the exploit checks version <= '4206' to confirm vulnerability before proceeding.
  • The exploit defaults to port 8181 for TerraMaster TOS; monitor HTTP traffic on this non-standard port for exploitation attempts targeting /include/makecvs.php.
  • The exploit uses the default Metasploit payload cmd/unix/reverse_perl with base64-encoded commands passed via brace expansion to bash; look for brace-expansion patterns like {echo,<base64>}|{base64,-d}|{bash,-i} in HTTP request bodies or process arguments.
  • ·The ET/Snort rule (sid:2031535) covers both CVE-2020-28188 and CVE-2020-35665 with the same signature; tuning may be needed to distinguish between the two vulnerabilities in alerting.
  • ·The web application on TerraMaster TOS typically runs as root, meaning successful exploitation grants full system compromise — prioritize detection and patching accordingly.
  • ·No authentication is required to exploit this vulnerability; perimeter controls blocking unauthenticated access to port 8181 are a critical compensating control.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.