CVE-2022-24989
CVE-2022-24989
Vexday Risk Score
52Atención
Decisión SSVC (CISA)
Act
Explotación + impacto → acción inmediata
Madurez del exploit
Exploit funcional
Exploit automatizable disponible (Nuclei/Metasploit).
CVSS —EPSS 31.9%KEV nãoPoC —Nuclei —Metasploit simPatch —
Ciclo de vida
07 mar 2022Exploit Metasploit disponible
20 ago 2023Publicada en NVD
Recomendación: Corregir cuanto antes — hay explotación activa confirmada.
TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.
Productos afectados
n/a · n/aReferencias
https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990https://forum.terra-master.com/en/viewforum.php?f=28https://github.com/0xf4n9x/CVE-2022-24990https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiationhttps://packetstormsecurity.com/files/172904