CVE-2022-24989

First published: Sun Aug 20 2023(Updated: )

TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.

Credit: cve@mitre.org cve@mitre.org

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-api
• collector/nvd-index
• agent/severity
• agent/references
• agent/weakness
• agent/author
• agent/description
• agent/type
• agent/event
• agent/last-modified-date
• agent/softwarecombine
• agent/first-publish-date
• agent/tags
• collector/mitre-cve
• source/MITRE
• vendor/terra-master
• canonical/terra-master terramaster operating system
• canonical/terra-master f2-210
• canonical/terra-master f2-221
• canonical/terra-master f2-223
• canonical/terra-master f2-422
• canonical/terra-master f2-423
• canonical/terra-master f4-421
• canonical/terra-master f4-422
• canonical/terra-master f4-423
• canonical/terra-master f5-221
• canonical/terra-master f5-422
• canonical/terra-master t12-423
• canonical/terra-master t12-450
• canonical/terra-master t6-423
• canonical/terra-master t9-423
• canonical/terra-master t9-450
• canonical/terra-master u12-322-9100
• canonical/terra-master u12-423
• canonical/terra-master u12-722-2224
• canonical/terra-master u16-322-9100
• canonical/terra-master u16-722-2224
• canonical/terra-master u24-722-2224
• canonical/terra-master u4-111
• canonical/terra-master u4-211
• canonical/terra-master u4-423
• canonical/terra-master u8-111
• canonical/terra-master u8-322-9100
• canonical/terra-master u8-423
• canonical/terra-master u8-522-9400
• canonical/terra-master u8-722-2224