Vulnerability Details CVE-2022-24990
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.944
EPSS Ranking 100.0%
CVSS Severity
CVSS v3 Score 7.5
Proposed Action
TerraMaster OS contains a remote command execution vulnerability that allows an unauthenticated user to execute commands on the target endpoint.
Ransomware Campaign
Known
References
- http://packetstormsecurity.com/files/172904/TerraMaster-TOS-4.2.29-Remote-Code-Execution.html
- https://forum.terra-master.com/en/viewforum.php?f=28
- https://github.com/0xf4n9x/CVE-2022-24990
- https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/
- https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732
- http://packetstormsecurity.com/files/172904/TerraMaster-TOS-4.2.29-Remote-Code-Execution.html
- https://forum.terra-master.com/en/viewforum.php?f=28
- https://github.com/0xf4n9x/CVE-2022-24990
- https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/
- https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732
Products affected by CVE-2022-24990
-
cpe:2.3:h:terra-master:f2-210:-
-
cpe:2.3:h:terra-master:f2-221:-
-
cpe:2.3:h:terra-master:f2-223:-
-
cpe:2.3:h:terra-master:f2-422:-
-
cpe:2.3:h:terra-master:f2-423:-
-
cpe:2.3:h:terra-master:f4-421:-
-
cpe:2.3:h:terra-master:f4-422:-
-
cpe:2.3:h:terra-master:f4-423:-
-
cpe:2.3:h:terra-master:f5-221:-
-
cpe:2.3:h:terra-master:f5-422:-
-
cpe:2.3:h:terra-master:t12-423:-
-
cpe:2.3:h:terra-master:t12-450:-
-
cpe:2.3:h:terra-master:t6-423:-
-
cpe:2.3:h:terra-master:t9-423:-
-
cpe:2.3:h:terra-master:t9-450:-
-
cpe:2.3:h:terra-master:u12-322-9100:-
-
cpe:2.3:h:terra-master:u12-423:-
-
cpe:2.3:h:terra-master:u12-722-2224:-
-
cpe:2.3:h:terra-master:u16-322-9100:-
-
cpe:2.3:h:terra-master:u16-722-2224:-
-
cpe:2.3:h:terra-master:u24-722-2224:-
-
cpe:2.3:h:terra-master:u4-111:-
-
cpe:2.3:h:terra-master:u4-211:-
-
cpe:2.3:h:terra-master:u4-423:-
-
cpe:2.3:h:terra-master:u8-111:-
-
cpe:2.3:h:terra-master:u8-322-9100:-
-
cpe:2.3:h:terra-master:u8-423:-
-
cpe:2.3:h:terra-master:u8-522-9400:-
-
cpe:2.3:h:terra-master:u8-722-2224:-
-
cpe:2.3:o:terra-master:terramaster_operating_system:-
-
cpe:2.3:o:terra-master:terramaster_operating_system:3.0.33
-
cpe:2.3:o:terra-master:terramaster_operating_system:3.1.03
-
cpe:2.3:o:terra-master:terramaster_operating_system:4.2.06
-
cpe:2.3:o:terra-master:terramaster_operating_system:4.2.29