← back
CVE-2022-24989

CVE-2022-24989

EPSS 31.9%◆ VulnCheck KEV
Vexday Risk Score
52Attention
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
Exploit maturity
Functional exploit
Automatable exploit available (Nuclei/Metasploit).
CVSS EPSS 31.9%KEV nãoPoC Nuclei Metasploit simPatch
Lifecycle
07 Mar 2022Metasploit module available
20 Aug 2023Published on NVD
Recommendation: Patch as soon as possible — active exploitation confirmed.
TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.
Affected products
n/a · n/a