Cyber Resilience

CVE-2022-24990

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 07 February 2023

Published
07 February 2023
Modified
07 November 2025
KEV Added
10 February 2023
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9440 100.0th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24990 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Terra-Master Terramaster Operating System. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2022-24990 affects TerraMaster NAS devices running version 4.2.29 and earlier. The flaw stems from missing authentication on the endpoint module/api.php?mobile/webNasIPS, which returns the administrative password in the PWD field of a JSON response when the request includes the User-Agent string "TNAS". This corresponds to CWE-306 and carries a CVSS 3.1 score of 7.5 reflecting network-accessible confidentiality impact without any required credentials.

An unauthenticated remote attacker can simply issue the crafted request to obtain valid administrative credentials. Possession of these credentials enables further actions such as configuration changes, data access, or escalation to remote code execution as demonstrated in public proof-of-concept material.

Public references include exploit code on GitHub and Packet Storm, a detailed technical write-up describing unauthenticated remote command execution via PHP object instantiation, and a Broadcom attack-signature entry, indicating active interest in the issue. The associated EPSS score has reached a peak of 0.9675 with a current value of 0.9440.

EU & UK References

Vulnerability details

TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.

CWE(s)
KEV Date Added
10 February 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

terra-master
terramaster operating system
≤ 4.2.31

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access-control policy so the unauthenticated mobile/webNasIPS endpoint cannot return the clear-text admin password.

prevent

Requires identification and authentication of users before any system access, blocking the unauthenticated request that leaks the PWD field.

prevent

Ensures only the minimum privileges are granted, so even if a request reaches the endpoint the administrative password is not exposed to unauthorized callers.

References