CVE-2022-24989
Published: 20 August 2023
Summary
CVE-2022-24989 is a critical-severity Injection (CWE-74) vulnerability in Terra-Master Terramaster Operating System. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
TerraMaster NAS versions through 4.2.30 contain a command injection vulnerability in the api.php?mobile/createRaid endpoint. Unauthenticated remote attackers can supply shell metacharacters in the raidtype parameter (with a corresponding diskstring value) that reach a popen call without sanitization, enabling PHP object instantiation that results in arbitrary code execution as root. The flaw is tracked as CWE-74 and carries a CVSS 3.1 score of 9.8.
An attacker with WAN access can exploit the issue directly to obtain a root shell. The description notes that valid credentials obtained via the related CVE-2022-24990 vulnerability can be used to facilitate access, although the injection itself does not require prior authentication.
The current EPSS score of 0.8368, which matches its recorded peak, indicates sustained exploitation interest following disclosure. Public references focus on technical analysis and proof-of-concept material rather than vendor mitigation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-29736
Vulnerability details
TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without…
more
any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.
- CWE(s)
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.