Back to KEVs

CVE-2022-24990

TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to...

Basic Information

CVE State
PUBLISHED
Reserved Date
February 14, 2022
Published Date
February 07, 2023
Last Updated
February 03, 2025
Vendor
n/a
Product
n/a
Description
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.

CVSS Scores

CVSS v3.1

7.5 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (added 2023-02-10 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2022-03-08 01:28:32 UTC) Source
Used in Malware
Yes (added 2023-02-10 00:00:00 UTC) Source

References

https://forum.terra-master.com/en/viewforum.php?f=28 https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732 https://github.com/0xf4n9x/CVE-2022-24990 https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/ http://packetstormsecurity.com/files/172904/TerraMaster-TOS-4.2.29-Remote-Code-Execution.html

Known Exploited Vulnerability Information

Source Added Date
CISA 2023-02-10 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/terramaster_unauth_rce_cve_2022_24990.rb 2025-04-29 11:01:15 UTC
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-24990.yaml 2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

jsongmax/terraMaster-CVE-2022-24990

Type: github • Created: 2022-10-17 07:54:13 UTC • Stars: 4

ZZ-SOCMAP/CVE-2022-24990

Type: github • Created: 2022-04-12 02:45:56 UTC • Stars: 3

TerraMaster TOS Unauthenticated Remote Command Execution(RCE) Vulnerability CVE-2022-24990

lishang520/CVE-2022-24990

Type: github • Created: 2022-03-20 05:21:08 UTC • Stars: 39

CVE-2022-24990信息泄露+RCE 一条龙

0xf4n9x/CVE-2022-24990

Type: github • Created: 2022-03-20 05:15:16 UTC • Stars: 15

CVE-2022-24990 TerraMaster TOS unauthenticated RCE via PHP Object Instantiation

VVeakee/CVE-2022-24990-POC

Type: github • Created: 2022-03-10 03:16:04 UTC • Stars: 4

仅仅是poc,并不是exp

Jaky5155/CVE-2022-24990-TerraMaster-TOS--PHP-

Type: github • Created: 2022-03-08 01:28:32 UTC • Stars: 2

CVE-2022-24990:TerraMaster TOS 通过 PHP 对象实例化执行未经身份验证的远程命令