CVE-2020-15568

CRITICAL EXPLOITED IN THE WILD NUCLEI

TerraMaster TOS <4.1.29 - Code Injection

Title source: llm

Exploitation Summary

CVE-2020-15568 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 2 public exploits from researchers including divinepwner, n0bugz. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a Metasploit module exploiting CVE-2020-15568, a dynamic class method invocation vulnerability in TerraMaster TOS's exportUser.php, allowing unauthenticated remote code execution with root privileges via crafted HTTP GET parameters.

Description

TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter.

Exploits (2)

nomisec WORKING POC 3 stars

by divinepwner · remote

https://github.com/divinepwner/TerraMaster-TOS-CVE-2020-15568

View Code ZIP pw:eip

This is a Metasploit module exploiting CVE-2020-15568, a dynamic class method invocation vulnerability in TerraMaster TOS's exportUser.php, allowing unauthenticated remote code execution with root privileges via crafted HTTP GET parameters.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: TerraMaster TOS <= 4.1.24

No auth needed

Prerequisites: Network access to the target device on port 8181 · Python payload compatibility

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by n0bugz · remote

https://github.com/n0bugz/CVE-2020-15568

View Code ZIP pw:eip

This PoC exploits CVE-2020-15568, a remote code execution vulnerability in TerraMaster OS. It leverages a vulnerable endpoint (`exportUser.php`) to execute arbitrary commands via a crafted HTTP request, resulting in a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: TerraMaster OS (versions affected by CVE-2020-15568)

No auth needed

Prerequisites: Network access to the target · Python environment to run the PoC

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

TerraMaster TOS <.1.29 - Remote Code Execution

CRITICALby pikpikcu

FOFA: "terramaster" && header="tos"

References (2)

Core 2

Core References

Product, Vendor Advisory x_refsource_misc

https://help.terra-master.com/TOS/view/

Exploit, Third Party Advisory x_refsource_misc

https://ssd-disclosure.com/ssd-advisory-terramaster-os-exportuser-php-remote-code-execution/

Scores

CVSS v3 9.8

EPSS 0.2920

EPSS Percentile 97.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-10-11

InTheWild.io 2021-09-30

CWE

CWE-913

Status published

Products (1)

terra-master/tos < 4.1.29

Published Jan 30, 2021

Tracked Since Feb 18, 2026