QwikSec

Security Database

CVE

CWE

Training

CVE-2022-24989

Published: Aug 20, 2023

Modified: Oct 8, 2024

PUBLISHED

Description

TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://forum.terra-master.com/en/viewforum.php?f=28

https://github.com/0xf4n9x/CVE-2022-24990

https://packetstormsecurity.com/files/172904

https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990

https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

CVE-2022-24989 - Security Vulnerability | QwikSec