CVE-2022-24989

CRITICAL EXPLOITED RANSOMWARE

Terra-master Terramaster Operating System < 4.2.31 - Injection

Title source: rule

Description

TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.

Exploits (1)

metasploit WORKING POC EXCELLENT

rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/terramaster_unauth_rce_cve_2022_24990.rb

View Code ZIP pw:eip

References (5)

[Third Party Advisory] https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990

[Release Notes] https://forum.terra-master.com/en/viewforum.php?f=28

[Exploit] https://github.com/0xf4n9x/CVE-2022-24990

[Exploit] https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation

[Exploit, Third Party Advisory, VDB Entry] https://packetstormsecurity.com/files/172904

Scores

CVSS v3 9.8

EPSS 0.8211

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-02-22

Ransomware Use Confirmed

CWE

CWE-74

Status published

Products (1)

terra-master/terramaster_operating_system < 4.2.31

Published Aug 20, 2023

Tracked Since Feb 18, 2026