TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a