CVE-2022-24990

high

Description

TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.

References

https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a

https://www.tenable.com/blog/south-korean-and-american-agencies-release-joint-advisory-on-north-korean-ransomware

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24990

https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/

https://github.com/0xf4n9x/CVE-2022-24990

https://forum.terra-master.com/en/viewforum.php?f=28

http://packetstormsecurity.com/files/172904/TerraMaster-TOS-4.2.29-Remote-Code-Execution.html

Details

Source: Mitre, NVD

Published: 2023-02-07

Updated: 2025-10-22

Known Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N