CVE-2022-24989

CRITICAL EXPLOITED RANSOMWARE

TerraMaster TOS < 4.2.31 - Unauthenticated Remote Code Execution via api.php Raid Creation

Title source: llm

Exploitation Summary

CVE-2022-24989 has been observed exploited in the wild (reported by VulnCheck KEV), including in ransomware campaigns. EIP tracks 1 public exploit, including a Metasploit module exploits/linux/http/terramaster_unauth_rce_cve_2022_24990.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated RCE in TerraMaster TOS by chaining CVE-2022-24990 (info leak) and CVE-2022-24989 (authenticated RCE). It leaks admin credentials via `api.php?mobile/webNasIPS` and executes commands via `api.php?mobile/createRaid`.

Description

TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.

Exploits (1)

metasploit WORKING POC EXCELLENT

rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/terramaster_unauth_rce_cve_2022_24990.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated RCE in TerraMaster TOS by chaining CVE-2022-24990 (info leak) and CVE-2022-24989 (authenticated RCE). It leaks admin credentials via `api.php?mobile/webNasIPS` and executes commands via `api.php?mobile/createRaid`.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: TerraMaster TOS <= 4.2.29

No auth needed

Prerequisites: Network access to TerraMaster TOS web interface (port 8181)

MITRE ATT&CK

T1003 - OS Credential Dumping T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Third Party Advisory

https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990

Release Notes

https://forum.terra-master.com/en/viewforum.php?f=28

Exploit

https://github.com/0xf4n9x/CVE-2022-24990

View Exploit ZIP pw:eip

Exploit

https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation

Exploit, Third Party Advisory, VDB Entry

https://packetstormsecurity.com/files/172904

Scores

CVSS v3 9.8

EPSS 0.3188

EPSS Percentile 98.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2024-02-22

Ransomware Use Confirmed

CWE

CWE-74

Status published

Products (1)

terra-master/terramaster_operating_system < 4.2.31

Published Aug 20, 2023

Tracked Since Feb 18, 2026