Cyber Resilience

CVE-2022-24989

CriticalPublic PoC

Published: 20 August 2023

Published
20 August 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8368 99.3th percentile
Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24989 is a critical-severity Injection (CWE-74) vulnerability in Terra-Master Terramaster Operating System. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

TerraMaster NAS versions through 4.2.30 contain a command injection vulnerability in the api.php?mobile/createRaid endpoint. Unauthenticated remote attackers can supply shell metacharacters in the raidtype parameter (with a corresponding diskstring value) that reach a popen call without sanitization, enabling PHP object instantiation that results in arbitrary code execution as root. The flaw is tracked as CWE-74 and carries a CVSS 3.1 score of 9.8.

An attacker with WAN access can exploit the issue directly to obtain a root shell. The description notes that valid credentials obtained via the related CVE-2022-24990 vulnerability can be used to facilitate access, although the injection itself does not require prior authentication.

The current EPSS score of 0.8368, which matches its recorded peak, indicates sustained exploitation interest following disclosure. Public references focus on technical analysis and proof-of-concept material rather than vendor mitigation steps.

EU & UK References

Vulnerability details

TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without…

more

any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.

CWE(s)

Related Threats

Threat-Actor AttributionAI

Cl0paka Clop
Cl0p ransomware exploited TerraMaster NAS RCE flaws (CVE-2022-24989/24990 chain) per public reporting from researchers and incident responders.

Affected Assets

terra-master
terramaster operating system
≤ 4.2.31

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References