CVE-2022-24989 – CVE-2022-24989 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2022-24989?

CVE-2022-24989 has a CVSS score of 9.8 (CRITICAL). CVE-2022-24989 is a critical remote code execution vulnerability in TerraMaster NAS devices that allows attackers to execute arbitrary commands as root via unauthenticated API requests. Attackers can exploit this by sending specially crafted parameters to the createRaid endpoint, which uses popen() without proper input sanitization. All TerraMaster NAS users with internet-facing devices or internal network access are affected.

📋 TL;DR

CVE-2022-24989 is a critical remote code execution vulnerability in TerraMaster NAS devices that allows attackers to execute arbitrary commands as root via unauthenticated API requests. Attackers can exploit this by sending specially crafted parameters to the createRaid endpoint, which uses popen() without proper input sanitization. All TerraMaster NAS users with internet-facing devices or internal network access are affected.

💻 Affected Systems

Products:

TerraMaster NAS devices running TOS (TerraMaster Operating System)

Versions: TOS through version 4.2.30

Operating Systems: TerraMaster TOS (Linux-based NAS OS)

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. The vulnerability is in the web interface API and requires network access to the NAS management interface.

📦 What is this software?

Terramaster Operating System by Terra Master

View all CVEs affecting Terramaster Operating System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level access, data theft, ransomware deployment, and persistent backdoor installation across the entire NAS infrastructure.

🟠

Likely Case

Unauthenticated attackers gaining root shell access to execute arbitrary commands, potentially leading to data exfiltration, cryptomining, or lateral movement within the network.

🟢

If Mitigated

Limited impact if device is isolated behind strict firewall rules with no external access, though internal threats could still exploit if network segmentation is weak.

🌐 Internet-Facing: HIGH - Directly exploitable via WAN without authentication, making internet-facing devices immediate targets for automated attacks.

🏢 Internal Only: HIGH - Even internally, the vulnerability requires no authentication and provides root access, making it dangerous for any attacker with network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public proof-of-concept exploits exist, and the vulnerability is actively exploited in the wild. Attackers can chain this with CVE-2022-24990 for credential access first, though this CVE works independently.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: TOS 4.2.31 and later

Vendor Advisory: https://forum.terra-master.com/en/viewforum.php?f=28

Restart Required: Yes

Instructions:

1. Log into TerraMaster TOS web interface. 2. Navigate to Control Panel > General Settings > Update & Restore. 3. Check for updates and install TOS 4.2.31 or later. 4. Reboot the NAS after update completion.

🔧 Temporary Workarounds

Block API endpoint via firewall

linux

Temporarily block access to the vulnerable API endpoint while awaiting patch

iptables -A INPUT -p tcp --dport 80 -m string --string "/api.php?mobile/createRaid" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/api.php?mobile/createRaid" --algo bm -j DROP

Disable WAN access to NAS management

all

Remove NAS management interface from internet exposure

Configure firewall/router to block external access to NAS IP on ports 80, 443, and other management ports

🧯 If You Can't Patch

Isolate the NAS device in a separate VLAN with strict access controls, allowing only trusted administrative systems to connect
Implement network-based intrusion prevention rules to detect and block exploit attempts targeting the createRaid endpoint

🔍 How to Verify

Check if Vulnerable:

Check TOS version in Control Panel > General Settings > Update & Restore. If version is 4.2.30 or earlier, the system is vulnerable.

Check Version:

Connect to NAS web interface and navigate to Control Panel, or check system logs via SSH if enabled

Verify Fix Applied:

After updating, verify TOS version shows 4.2.31 or later. Test API endpoint with safe payload to confirm it no longer executes arbitrary commands.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /api.php?mobile/createRaid with raidtype or diskstring parameters containing shell metacharacters
Multiple failed authentication attempts followed by API exploitation attempts
Unexpected process execution via popen() in system logs

Network Indicators:

HTTP requests containing shell commands in raidtype parameter (e.g., raidtype=;id;)
Traffic to createRaid endpoint from unexpected source IPs
Outbound connections from NAS to suspicious external IPs post-exploitation

SIEM Query:

source="nas_logs" AND (url="/api.php?mobile/createRaid" AND (raidtype="*;*" OR diskstring="*;*" OR raidtype="*`*" OR raidtype="*$(*)"))

📊 Metadata

CVE ID: CVE-2022-24989

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-74

Published: August 20, 2023

Last Updated: November 21, 2024

🔗 References

https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990 Third Party Advisory
https://forum.terra-master.com/en/viewforum.php?f=28 Release Notes
https://github.com/0xf4n9x/CVE-2022-24990 Exploit
https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation Exploit
https://packetstormsecurity.com/files/172904 Exploit,Third Party Advisory,VDB Entry
https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990 Third Party Advisory
https://forum.terra-master.com/en/viewforum.php?f=28 Release Notes
https://github.com/0xf4n9x/CVE-2022-24990 Exploit
https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation Exploit
https://packetstormsecurity.com/files/172904 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24989, you might also want to check these: