CVE-2022-24990
published 2023-02-07CVE-2022-24990: TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to…
PriorityP196high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-03-03
Exploited in the wild
EPSS
84.05%
99.7th percentile
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| terra-master | terramaster_operating_system | < 4.2.31 | 4.2.31 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Information Leak Inbound (CVE-2022-24990)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/module/api.php?mobile/webNasIPS"; fast_pattern; reference:cve,2022-24990; classtype:attempted-recon; sid:2035631; rev:2; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24990, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Detect GET requests to the information disclosure endpoint by matching on URI path `/module/api.php?mobile/webNasIPS` combined with User-Agent `TNAS`; response body will contain fields such as `webNasIPS successful`, `ADDR`, `IFC`, `PWD`, `DAT`, `SAT`, and JSON keys like `firmware`, `version`, `mask`, `mac`, `port`, `url`, `ip`, `hostname`.
- →The exploit chains two vulnerabilities: first leaking admin password hash and MAC address via `api.php?mobile/webNasIPS`, then using the harvested credentials to POST to `api.php?mobile/createRaid` with shell metacharacters in the `raidtype` parameter (passed unsanitized to `popen`) to achieve RCE as root. ↗
- →Shodan exposure queries `TerraMaster` and `terramaster` can be used to identify internet-facing vulnerable devices for proactive hunting.
- ·The Nuclei template targets the information disclosure endpoint (CVE-2022-24990) specifically; the RCE endpoint (CVE-2022-24989, `api.php?mobile/createRaid`) requires credentials obtained from the first stage and is a separate detection surface. ↗
- ·The Emerging Threats Snort rule (sid:2035631) is scoped to inbound traffic toward `$HOME_NET` and `$HTTP_SERVERS`; ensure internal TerraMaster NAS devices are included in these variable definitions for full coverage.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck9.8CRITICAL
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
TerraMaster OS Remote Command Execution Vulnerability
cisa·2023-02-10·CVSS 7.5
CVE-2022-24990 [HIGH] CWE-306 TerraMaster OS Remote Command Execution Vulnerability
Vulnerability: TerraMaster OS Remote Command Execution Vulnerability
Affected: TerraMaster TerraMaster OS
TerraMaster OS contains a remote command execution vulnerability that allows an unauthenticated user to execute commands on the target endpoint.
Required Action: Apply updates per vendor instructions.
Notes: https://forum.terra-master.com/en/viewtopic.php?t=3030; https://nvd.nist.gov/vuln/detail/CVE-2022-24990
Remediation Due Date: 2023-03-03
GHSA
GHSA-37wm-xp2m-g3h7: TerraMaster NAS through 4
ghsa_unreviewed·2023-08-20·CVSS 7.5
CVE-2022-24989 [HIGH] CWE-74 GHSA-37wm-xp2m-g3h7: TerraMaster NAS through 4
TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.
GHSA
GHSA-hp68-7f8q-r2qj: TerraMaster NAS 4
ghsa_unreviewed·2023-02-07
CVE-2022-24990 [HIGH] CWE-306 GHSA-hp68-7f8q-r2qj: TerraMaster NAS 4
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
VulnCheck
TerraMaster OS Remote Command Execution Vulnerability
vulncheck·2022·CVSS 7.5
CVE-2022-24990 [HIGH] CWE-306 TerraMaster OS Remote Command Execution Vulnerability
TerraMaster OS Remote Command Execution Vulnerability
TerraMaster OS contains a remote command execution vulnerability that allows an unauthenticated user to execute commands on the target endpoint.
Affected: TerraMaster TerraMaster OS
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/uscert/ncas/alerts/aa23-040a; https://cisa.gov/news-events/cybersecurity-advisories/aa23-040a; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://4502402.fs1.hubspotusercontent-na1.net/hubfs/4502402/Ransomware%20-%20Index%20Update%20Q1%202023.pdf; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&vulnerability=cve-2022-2499
VulnCheck
TerraMaster TerraMaster OS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
vulncheck·2022·CVSS 9.8
CVE-2022-24989 [CRITICAL] TerraMaster TerraMaster OS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
TerraMaster TerraMaster OS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.
Affected: TerraMaster TerraMaster OS
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.360.cn/n/12457.html
Suricata
ET EXPLOIT TerraMaster TOS Information Leak Inbound (CVE-2022-24990)
suricata·2022-03-29·CVSS 7.5
CVE-2022-24990 [HIGH] ET EXPLOIT TerraMaster TOS Information Leak Inbound (CVE-2022-24990)
ET EXPLOIT TerraMaster TOS Information Leak Inbound (CVE-2022-24990)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Information Leak Inbound (CVE-2022-24990)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/module/api.php?mobile/webNasIPS"; fast_pattern; reference:cve,2022-24990; classtype:attempted-recon; sid:2035631; rev:2; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24990, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
Nuclei
TerraMaster TOS < 4.2.30 Server Information Disclosure
nuclei·CVSS 7.5
CVE-2022-24990 [HIGH] TerraMaster TOS < 4.2.30 Server Information Disclosure
TerraMaster TOS < 4.2.30 Server Information Disclosure
TerraMaster NAS devices running TOS prior to version 4.2.30 are vulnerable to information disclosure.
Template:
id: CVE-2022-24990
info:
name: TerraMaster TOS < 4.2.30 Server Information Disclosure
author: dwisiswant0
severity: high
description: TerraMaster NAS devices running TOS prior to version 4.2.30 are vulnerable to information disclosure.
impact: |
An attacker can exploit this vulnerability to gain sensitive information about the server, potentially leading to further attacks.
remediation: |
Upgrade the TerraMaster TOS server to version 4.2.30 or later to mitigate the vulnerability.
reference:
- https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantia
Metasploit
TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989
metasploit·CVSS 9.8
CVE-2022-24990 [CRITICAL] TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989
TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989
This module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS 4.2.29 and lower by chaining two existing vulnerabilities, CVE-2022-24990 "Leaking sensitive information" and CVE-2022-24989, "Authenticated remote code execution". Exploiting vulnerable endpoint `api.php?mobile/webNasIPS` leaking sensitive information such as admin password hash and mac address, the attacker can achieve unauthenticated access and use another vulnerable endpoint `api.php?mobile/createRaid` with POST parameters `raidtype` and `diskstring` to execute remote code as root on TerraMaster NAS devices.
Tenable
South Korean and American Agencies Release Joint Advisory on North Korean Ransomware
blogs_tenable·2023-02-16
South Korean and American Agencies Release Joint Advisory on North Korean Ransomware
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
http://packetstormsecurity.com/files/172904/TerraMaster-TOS-4.2.29-Remote-Code-Execution.htmlhttps://forum.terra-master.com/en/viewforum.php?f=28https://github.com/0xf4n9x/CVE-2022-24990https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732http://packetstormsecurity.com/files/172904/TerraMaster-TOS-4.2.29-Remote-Code-Execution.htmlhttps://forum.terra-master.com/en/viewforum.php?f=28https://github.com/0xf4n9x/CVE-2022-24990https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24990
2023-02-07
Published
2023-02-10
Added to CISA KEV
Exploited in the wild