CVE-2022-24990 Overview
CVE-2022-24990 is a critical authentication bypass and information disclosure vulnerability affecting TerraMaster NAS devices running TOS (TerraMaster Operating System) version 4.2.29 and earlier. This vulnerability allows remote attackers to discover the administrative password by sending a specially crafted HTTP request with a specific User-Agent header to an API endpoint. The flaw exposes the administrator's password in plaintext within the server response, enabling complete unauthorized access to the NAS device.
Critical Impact
This vulnerability is actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Remote attackers can obtain administrative credentials without authentication, leading to full device compromise, data theft, ransomware deployment, or use of the device as a pivot point for further network intrusion.
Affected Products
- TerraMaster Operating System (TOS) version 4.2.29 and earlier
- TerraMaster F-Series NAS devices (F2-210, F2-221, F2-223, F2-422, F2-423, F4-421, F4-422, F4-423, F5-221, F5-422)
- TerraMaster T-Series NAS devices (T6-423, T9-423, T9-450, T12-423, T12-450)
- TerraMaster U-Series NAS devices (U4-111, U4-211, U4-423, U8-111, U8-322-9100, U8-423, U8-522-9400, U8-722-2224, U12-322-9100, U12-423, U12-722-2224, U16-322-9100, U16-722-2224, U24-722-2224)
Discovery Timeline
- February 7, 2023 - CVE-2022-24990 published to NVD
- November 7, 2025 - Last updated in NVD database
Technical Details for CVE-2022-24990
Vulnerability Analysis
This vulnerability represents a severe authentication bypass flaw classified under CWE-306 (Missing Authentication for Critical Function). The TerraMaster NAS web management interface contains an API endpoint at module/api.php?mobile/webNasIPS that fails to properly authenticate requests when a specific User-Agent header is present. When an attacker sends an HTTP request with the header User-Agent: TNAS, the server responds with sensitive device information including the administrative password in the PWD field.
The vulnerability is particularly dangerous because it requires no prior authentication or credentials to exploit. An attacker simply needs network access to the NAS device's web interface to retrieve administrator credentials. This flaw has been actively exploited in real-world attacks, including by threat actors deploying ransomware against vulnerable TerraMaster NAS devices.
Root Cause
The root cause of CVE-2022-24990 lies in improper access control within the TerraMaster TOS API implementation. The mobile/webNasIPS endpoint was designed to support mobile application functionality but lacks proper authentication checks. The API trusts the User-Agent header as an indicator of a legitimate mobile client connection, exposing sensitive system information including plaintext credentials without requiring any form of authentication.
Attack Vector
The attack vector for CVE-2022-24990 is network-based and requires no user interaction or prior authentication. An attacker can exploit this vulnerability by:
- Identifying a TerraMaster NAS device exposed to the network (either on a local network or internet-facing)
- Sending a crafted HTTP GET request to the vulnerable API endpoint with the User-Agent: TNAS header
- Parsing the JSON response to extract the PWD field containing the administrator password
- Using the obtained credentials to log into the NAS web interface with full administrative privileges
The attack is trivial to execute and can be automated to scan for vulnerable devices at scale. Once administrative access is obtained, attackers can exfiltrate sensitive data, deploy ransomware, create backdoor accounts, or pivot to other systems on the network. Technical analysis and exploitation details are documented in the Octagon Blog Analysis and Packet Storm Remote Code Execution references.
Detection Methods for CVE-2022-24990
Indicators of Compromise
- HTTP requests to /module/api.php?mobile/webNasIPS with User-Agent: TNAS header in web server logs
- Unexpected administrative login attempts or successful logins from unknown IP addresses
- Creation of new administrative user accounts without legitimate authorization
- Unusual file access patterns, data exfiltration, or encryption activity on NAS shares
- Network scanning activity targeting port 8181 (default TerraMaster web interface port) or standard HTTP/HTTPS ports
Detection Strategies
- Configure web application firewalls (WAF) to block or alert on requests containing User-Agent: TNAS targeting API endpoints
- Implement intrusion detection/prevention system (IDS/IPS) rules to detect exploitation attempts matching the known attack pattern
- Monitor authentication logs for successful logins from unexpected sources or geographic locations
- Deploy network monitoring to identify scanning activity targeting TerraMaster-specific endpoints
Monitoring Recommendations
- Enable comprehensive logging on all TerraMaster NAS devices and forward logs to a centralized SIEM
- Set up alerts for any access to the module/api.php endpoint with suspicious User-Agent headers
- Monitor for signs of post-exploitation activity including new user creation, configuration changes, and unusual data transfers
- Regularly audit administrative accounts and access patterns for anomalies
How to Mitigate CVE-2022-24990
Immediate Actions Required
- Immediately update all TerraMaster NAS devices to TOS version 4.2.30 or later, which addresses this vulnerability
- Restrict network access to NAS management interfaces using firewall rules, allowing only trusted IP addresses
- Remove TerraMaster NAS devices from direct internet exposure; place behind VPN if remote access is required
- Change all administrative passwords immediately, especially if the device may have been exposed while vulnerable
- Audit administrative accounts for any unauthorized additions and review access logs for signs of compromise
Patch Information
TerraMaster has released TOS version 4.2.30 and later versions that address this vulnerability. Administrators should update to the latest available TOS version through the device's web interface or by downloading firmware directly from the TerraMaster website. For additional information, refer to the TerraMaster Forum Discussion. Due to active exploitation of this vulnerability, CISA has added it to the Known Exploited Vulnerabilities catalog, requiring federal agencies to prioritize remediation.
Workarounds
- Isolate vulnerable NAS devices on a dedicated network segment with strict access controls until patching is possible
- Block external access to the NAS web management interface at the perimeter firewall
- Implement network-level authentication (802.1X) to restrict which devices can communicate with the NAS
- Deploy a reverse proxy with authentication requirements in front of the NAS web interface as a temporary protective measure
# Example: Block external access to TerraMaster NAS using iptables
# Allow only local network access to NAS management interface
iptables -A INPUT -p tcp --dport 8181 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8181 -j DROP
# Alternative: Block specific User-Agent at web server level (if proxy is in use)
# Apache mod_rewrite example
# RewriteCond %{HTTP_USER_AGENT} ^TNAS$ [NC]
# RewriteRule ^module/api\.php - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
