TerraMaster NAS <=4.2.29 Remote Admin Password Disclosure via API
CVE-2022-24990 Published on February 7, 2023
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
Known Exploited Vulnerability
This TerraMaster OS Remote Command Execution Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. TerraMaster OS contains a remote command execution vulnerability that allows an unauthenticated user to execute commands on the target endpoint.
The following remediation steps are recommended / required by March 3, 2023: Apply updates per vendor instructions.
Vulnerability Analysis
CVE-2022-24990 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors in an automatable fashion. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Products Associated with CVE-2022-24990
Want to know whenever a new CVE is published for Terra Master Terramaster Operating System? stack.watch will email you.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.