CVE-2020-35665

CRITICAL EXPLOITED IN THE WILD

TerraMaster Operating System <= 4.2.06 - Unauthenticated Remote Code Execution via Event Parameter in makecvs.php

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-35665 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 3 public exploits from researchers including AkkuS, including a Metasploit module exploits/linux/http/terramaster_unauth_rce_cve_2020_35665.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS 4.2.06 via command injection in the 'Event' parameter of 'include/makecvs.php'. It uploads a PHP shell and executes commands.

Description

An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation.

Exploits (3)

exploitdb WORKING POC
by AkkuS · rubywebappslinux
https://www.exploit-db.com/exploits/49330

This Metasploit module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS 4.2.06 via command injection in the 'Event' parameter of 'include/makecvs.php'. It uploads a PHP shell and executes commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: TerraMaster TOS 4.2.06
No auth needed
Prerequisites: Network access to target · Target running vulnerable TerraMaster TOS version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/terramaster_unauth_rce_cve_2020_35665.rb

This Metasploit module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS via shell metacharacter injection in the Event parameter of the makecvs.php endpoint. It uploads a webshell and executes commands under the context of the web application, typically running as root.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: TerraMaster TOS <= 4.2.06
No auth needed
Prerequisites: Network access to the TerraMaster device on port 8181
devstral-2 · analyzed Apr 23, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/h00die-gr3y/Metasploit

This repository contains a functional Metasploit module for CVE-2020-35665, targeting TerraMaster NAS devices with an unauthenticated RCE vulnerability. The module is part of a larger collection of private Metasploit modules, including detailed installation and usage instructions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: TerraMaster NAS (versions affected by CVE-2020-35665)
No auth needed
Prerequisites: Network access to the vulnerable TerraMaster NAS device
devstral-2 · analyzed Feb 25, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.8601
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-01-14
InTheWild.io 2021-01-21
CWE
CWE-78
Status published
Products (1)
terra-master/terramaster_operating_system < 4.2.06
Published Dec 23, 2020
Tracked Since Feb 18, 2026