cbcvebase.
CVE-2022-24990
published 2023-02-07

CVE-2022-24990: TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to…

PriorityP196high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-03-03
Exploited in the wild
EPSS
84.05%
99.7th percentile
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.

Affected

1 ranges
VendorProductVersion rangeFixed in
terra-masterterramaster_operating_system< 4.2.314.2.31

Detection & IOCsextracted from sources · hover to see the quote

url/module/api.php?mobile/webNasIPS
url/module/api.php?mobile/createRaid
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Information Leak Inbound (CVE-2022-24990)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/module/api.php?mobile/webNasIPS"; fast_pattern; reference:cve,2022-24990; classtype:attempted-recon; sid:2035631; rev:2; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24990, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Detect GET requests to the information disclosure endpoint by matching on URI path `/module/api.php?mobile/webNasIPS` combined with User-Agent `TNAS`; response body will contain fields such as `webNasIPS successful`, `ADDR`, `IFC`, `PWD`, `DAT`, `SAT`, and JSON keys like `firmware`, `version`, `mask`, `mac`, `port`, `url`, `ip`, `hostname`.
  • The exploit chains two vulnerabilities: first leaking admin password hash and MAC address via `api.php?mobile/webNasIPS`, then using the harvested credentials to POST to `api.php?mobile/createRaid` with shell metacharacters in the `raidtype` parameter (passed unsanitized to `popen`) to achieve RCE as root.
  • Shodan exposure queries `TerraMaster` and `terramaster` can be used to identify internet-facing vulnerable devices for proactive hunting.
  • ·The Nuclei template targets the information disclosure endpoint (CVE-2022-24990) specifically; the RCE endpoint (CVE-2022-24989, `api.php?mobile/createRaid`) requires credentials obtained from the first stage and is a separate detection surface.
  • ·The Emerging Threats Snort rule (sid:2035631) is scoped to inbound traffic toward `$HOME_NET` and `$HTTP_SERVERS`; ensure internal TerraMaster NAS devices are included in these variable definitions for full coverage.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck9.8CRITICAL
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.