CVE-2022-24990

HIGH KEV RANSOMWARE NUCLEI

TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989

Title source: metasploit

Exploitation Summary

CVE-2022-24990 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 10, 2023, with confirmed use in ransomware campaigns. EIP tracks 7 public exploits from researchers including lishang520, 0xf4n9x, jsongmax, including a Metasploit module exploits/linux/http/terramaster_unauth_rce_cve_2022_24990. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2022-24990, an information disclosure and RCE vulnerability in TerraMaster TOS. It first leaks sensitive information via an API endpoint and then uses the leaked credentials to execute arbitrary commands, writing a PHP file to the target system.

Description

TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.

Exploits (7)

nomisec WORKING POC 39 stars

by lishang520 · poc

https://github.com/lishang520/CVE-2022-24990

View Code ZIP pw:eip

This PoC exploits CVE-2022-24990, an information disclosure and RCE vulnerability in TerraMaster TOS. It first leaks sensitive information via an API endpoint and then uses the leaked credentials to execute arbitrary commands, writing a PHP file to the target system.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: TerraMaster TOS (version not specified)

No auth needed

Prerequisites: Network access to the target · Target running vulnerable TerraMaster TOS

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 14 stars

by 0xf4n9x · remote

https://github.com/0xf4n9x/CVE-2022-24990

View Code ZIP pw:eip

This is a functional exploit for CVE-2022-24990, targeting TerraMaster TOS unauthenticated RCE via PHP Object Instantiation. It includes both vulnerability detection and webshell upload capabilities.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: TerraMaster TOS

No auth needed

Prerequisites: Network access to the target · Target running vulnerable TerraMaster TOS

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 4 stars

by jsongmax · remote

https://github.com/jsongmax/terraMaster-CVE-2022-24990

View Code ZIP pw:eip

This repository contains a Go-based exploit for CVE-2022-24990, targeting TerraMaster TOS devices. It includes both a PoC for information leakage and an exploit to upload a webshell via command injection in the 'createRaid' API endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: TerraMaster TOS (specific version not specified)

No auth needed

Prerequisites: Network access to the target device · API endpoint '/module/api.php' accessible

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 4 stars

by VVeakee · infoleak

https://github.com/VVeakee/CVE-2022-24990-POC

View Code ZIP pw:eip

This repository contains a Go-based scanner for CVE-2022-24990, which checks for the presence of a vulnerability in TOTOLINK routers by sending a specific HTTP request and analyzing the response. It supports both single URL and batch scanning with configurable threads.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: TOTOLINK routers (specific version not specified)

No auth needed

Prerequisites: Network access to the target device

MITRE ATT&CK

T1595 - Active Scanning

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 3 stars

by ZZ-SOCMAP · poc

https://github.com/ZZ-SOCMAP/CVE-2022-24990

View Code ZIP pw:eip

This PoC scans for CVE-2022-24990, an unauthenticated information disclosure vulnerability in TerraMaster TOS NAS devices. It checks for the presence of sensitive data (ADDR and PWD) in the API response.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: TerraMaster TOS (version not specified)

No auth needed

Prerequisites: Network access to the target device

MITRE ATT&CK

T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by Jaky5155 · poc

https://github.com/Jaky5155/CVE-2022-24990-TerraMaster-TOS--PHP-

View Code ZIP pw:eip

The repository contains a functional exploit for CVE-2022-24990, a command injection vulnerability in TerraMaster TOS. The exploit leverages a crafted HTTP request to execute arbitrary commands via the 'raidtype' parameter in the 'createRaid' API endpoint.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: TerraMaster TOS versions 4.2.x < 4.2.30 and all 4.1.x versions

Auth required

Prerequisites: Network access to the target · Valid authentication credentials or bypass method

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/terramaster_unauth_rce_cve_2022_24990.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated RCE in TerraMaster TOS by chaining CVE-2022-24990 (sensitive info leak) and CVE-2022-24989 (authenticated RCE). It leaks admin credentials via `api.php?mobile/webNasIPS` and executes commands via `api.php?mobile/createRaid`.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: TerraMaster TOS <= 4.2.29

No auth needed

Prerequisites: Network access to TerraMaster NAS on port 8181

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 23, 2026 Full analysis →

Nuclei Templates (1)

TerraMaster TOS < 4.2.30 Server Information Disclosure

HIGHby dwisiswant0

Shodan: TerraMaster || terramaster

References (6)

Core 6

Core References

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/172904/TerraMaster-TOS-4.2.29-Remote-Code-Execution.html

Issue Tracking, Release Notes

https://forum.terra-master.com/en/viewforum.php?f=28

Exploit, Third Party Advisory

https://github.com/0xf4n9x/CVE-2022-24990

Exploit, Third Party Advisory

https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/

Third Party Advisory

https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24990

Scores

CVSS v3 7.5

EPSS 0.9440

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2023-02-10

VulnCheck KEV 2022-04-11

InTheWild.io 2023-02-10

ENISA EUVD EUVD-2022-29737

Ransomware Use Confirmed

CWE

CWE-306

Status published

Products (1)

terra-master/terramaster_operating_system < 4.2.31

Published Feb 07, 2023

KEV Added Feb 10, 2023

Tracked Since Feb 18, 2026