CVE-2022-24990
CVE-2022-24990 is a high-severity vulnerability in Terra-master Terramaster Operating System with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-02-10). The underlying weakness is classified as CWE-306.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- EPSS exploit prediction: 84% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-02-10)
- EU (EUVD) id: EUVD-2022-29737
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-02-10)
- Weakness: CWE-306
- Affected product: Terra-master Terramaster Operating System
- Published:
- Last modified:
Description
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
CVE-2022-24990: TerraMaster TOS Unauthenticated Administrative Password Disclosure
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2022-24990 |
| CWE | CWE-306: Missing Authentication for Critical Function |
| CVSS v3.1 | 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| EPSS | 0.8405 (99.66th percentile) |
| Known Exploited | Yes — CISA KEV added 2023-02-10; EU Exploited since 2023-02-10 |
| Affected Product | TerraMaster Operating System (TOS) ≤ 4.2.29 |
Summary
TerraMaster Network Attached Storage (NAS) devices running TerraMaster Operating System (TOS) version 4.2.29 and earlier contain an authentication bypass vulnerability in the module/api.php?mobile/webNasIPS endpoint. An unauthenticated remote attacker can retrieve the administrative password by sending a request with the User-Agent: TNAS header and reading the PWD field in the JSON response. This flaw effectively grants complete administrative access to affected devices.
Background
TerraMaster is a vendor of NAS hardware and software aimed at small-to-medium businesses and home users. The TerraMaster Operating System (TOS) provides a web-based management interface and a mobile API for remote administration. The mobile/webNasIPS endpoint is part of this API surface and is intended to support mobile client discovery or status reporting. Because this endpoint performs a sensitive operation—returning the administrator's cleartext password—without requiring authentication, it represents a critical security misconfiguration.
Root Cause
The vulnerability is classified under CWE-306: Missing Authentication for Critical Function. The affected API endpoint fails to verify that the caller is an authenticated and authorized user before returning the administrative password. The only client-side gate is a trivial User-Agent string check (TNAS), which is trivially spoofed and does not constitute authentication. This indicates a design-level failure where a convenience feature (mobile setup/discovery) was implemented without adequate access controls.
Impact
The CVSS v3.1 score of 7.5 (HIGH) reflects the severe confidentiality impact with minimal prerequisites for exploitation:
- Attack Vector (AV): Network — exploitable remotely over the internet if the device is exposed.
- Attack Complexity (AC): Low — no special conditions or advanced techniques required.
- Privileges Required (PR): None — fully unauthenticated.
- User Interaction (UI): None — no victim interaction needed.
- Scope (S): Unchanged — impact is limited to the vulnerable device.
- Confidentiality (C): High — the administrative password is fully disclosed.
- Integrity (I): None — no direct integrity impact in the base metric.
- Availability (A): None — no direct availability impact in the base metric.
Once the password is obtained, an attacker can authenticate to the web administration panel and effectively gain full control over the NAS, including all stored data, user accounts, and system configuration.
Exploitation Walkthrough
Ethics & Legal Notice: The following description is provided for defensive and educational purposes only. Testing or exploiting this vulnerability against systems you do not own or have explicit permission to test is illegal and unethical. The information below is generic and does not constitute a working weaponized exploit.
An attacker identifies a TerraMaster NAS device, typically via internet-wide scanning for TOS web interfaces or Shodan/Censys queries. The attacker then sends an HTTP GET request to the following path:
/module/api.php?mobile/webNasIPS
with the HTTP request header:
User-Agent: TNAS
If the device is vulnerable, the server responds with a JSON object containing device metadata. Within this response, the PWD field holds the current administrative password in cleartext. The attacker can then navigate to the TOS login page and authenticate as admin using the disclosed password.
Because the User-Agent check is the sole control and is client-controlled, any scripting tool, browser extension, or proxy can be used to modify the header and trigger the disclosure.
Affected and Patched Versions
Affected:
- TerraMaster Operating System (TOS) version 4.2.29 and earlier.
The following hardware families are confirmed affected based on CPE data (the list is not exhaustive):
F2-210, F2-221, F2-223, F2-422, F2-423, F4-421, F4-422, F4-423, F5-221, F5-422, T6-423, T9-423, T9-450, T12-423, T12-450, U4-111, U4-211, U4-423, U8-111, U8-423, U8-522-9400, U8-722-2224, U12-423, U12-722-2224, U16-322-9100, U16-722-2224, U24-722-2224, and others.
Patched:
- The specific patched version is not documented in the available source data. Administrators should consult TerraMaster's official forum or support channels to confirm the current secure release and upgrade accordingly.
Remediation
- Upgrade Firmware: Check the TerraMaster support portal or the device administration panel for the latest TOS firmware and apply it immediately. Verify the release notes explicitly address CVE-2022-24990.
- Network Segmentation: Restrict NAS management interfaces to internal, trusted network segments. Do not expose the TOS web interface or API to the public internet.
- Firewall Rules: Implement strict ingress firewall rules allowing management access only from designated administrative hosts or VPN endpoints.
- Change Default/Disclosed Credentials: If you suspect exposure, change the administrative password immediately after patching. Review account logs for unauthorized access.
- Compensating Controls: If patching is delayed, block access to
/module/api.php?mobile/webNasIPSat a reverse proxy or WAF layer, and restrict by source IP where feasible.
Detection
- Network Monitoring: Alert on inbound HTTP requests to
/module/api.php?mobile/webNasIPScontainingUser-Agent: TNASfrom unexpected source IPs. - Log Review: Examine web server or reverse proxy access logs for repeated requests to the
mobile/webNasIPSendpoint followed by successful logins to the admin panel. - Vulnerability Scanning: Use authenticated and unauthenticated scanners that include checks for CVE-2022-24990 to validate your exposure.
- EPSS Context: With an EPSS score of 0.8405 (99.66th percentile), active exploitation in the wild is highly probable. Prioritize this vulnerability in your patching queue.
Assessment
CVE-2022-24990 is a textbook example of an authentication bypass caused by reliance on easily spoofed client-side signals. The combination of a trivial User-Agent check and the disclosure of a high-value secret (the admin password) makes this vulnerability exceptionally easy to exploit at scale. Its presence on the CISA Known Exploited Vulnerabilities catalog and the EU Exploited Vulnerabilities Database confirms it has been weaponized by threat actors.
Key takeaways:
- Client-provided headers must never serve as the sole authorization mechanism for sensitive operations.
- Passwords and credentials should never be returned in API responses, even to authenticated users, unless strictly necessary and protected by additional controls.
- A high EPSS score combined with KEV listing should trigger immediate, top-priority patching.
References
- http://packetstormsecurity.com/files/172904/TerraMaster-TOS-4.2.29-Remote-Code-Execution.html
- https://forum.terra-master.com/en/viewforum.php?f=28
- https://github.com/0xf4n9x/CVE-2022-24990
- https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/
- https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24990
Frequently asked questions
- What is CVE-2022-24990?
- TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
- How severe is CVE-2022-24990?
- CVE-2022-24990 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2022-24990 being actively exploited?
- Yes. CVE-2022-24990 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-02-10, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2022-24990?
- CVE-2022-24990 affects Terra-master Terramaster Operating System. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-24990?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2022-24990 have an EU (EUVD) identifier?
- Yes. CVE-2022-24990 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-29737. It is also flagged as exploited in the EUVD (since 2023-02-10).
- When was CVE-2022-24990 published?
- CVE-2022-24990 was published on 2023-02-07 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/172904/TerraMaster-TOS-4.2.29-Remote-Code-Execution.html
- https://forum.terra-master.com/en/viewforum.php?f=28
- https://github.com/0xf4n9x/CVE-2022-24990
- https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/
- https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24990
Affected products (1)
- cpe:2.3:o:terra-master:terramaster_operating_system:*:*:*:*:*:*:*:*
More vulnerabilities in Terra-master Terramaster Operating System
- CVE-2022-24989 — Critical (CVSS 9.8): TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and…
- CVE-2020-35665 — Critical (CVSS 9.8): An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in…
- CVE-2018-13354 — Critical (CVSS 9.8): System command injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands…
- CVE-2018-13350 — Critical (CVSS 9.8): SQL injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute SQL queries via the "Event"…
- CVE-2018-13338 — Critical (CVSS 9.8): System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands…
- CVE-2018-13336 — Critical (CVSS 9.8): System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands…
All CVEs affecting Terra-master Terramaster Operating System →
Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities
- CVE-2026-54309 — Critical (CVSS 10.0): n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, when @n8n/mcp-browser is run in HTTP…
- CVE-2026-50242 — Critical (CVSS 10.0): In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429…
- CVE-2026-49257 — Critical (CVSS 10.0): mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1…
- CVE-2026-46846 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46803 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46800 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites).…
Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →