CVE-2022-24990
Published on February 7, 2023

TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.

NVD

Known Exploited Vulnerability

This TerraMaster OS Remote Command Execution Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. TerraMaster OS contains a remote command execution vulnerability that allows an unauthenticated user to execute commands on the target endpoint.

The following remediation steps are recommended / required by March 3, 2023: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2022-24990 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Missing Authentication for Critical Function

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.


Products Associated with CVE-2022-24990

You can be notified by stack.watch whenever vulnerabilities like CVE-2022-24990 are published in these products:

What versions are vulnerable to CVE-2022-24990?

Each of the following must match for the vulnerability to exist.