CISA Known Exploited Vulnerability

This vulnerability is actively exploited in the wild and listed in the CISA Known Exploited Vulnerabilities catalog.

Remediation Deadline: Mar 3, 2023

CVE-2022-24990

High

CVSS 7.5EPSS 94.4%CISA KEVPoC AvailableRansomware

TerraMaster/TerraMaster OS

Description

TerraMaster OS contains a remote command execution vulnerability that allows an unauthenticated user to execute commands on the target endpoint.

CVSS Score

7.5/ 10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS — Exploit Probability

94.4%

Higher than 100.0% of all CVEs

Weakness Classification (CWE)

CWE-306CWE-306MITRE

Known Exploits

POC

http://packetstormsecurity.com/files/172904/TerraMaster-TOS-4.2.29-Remote-Code-Execution.htmlExploit https://github.com/0xf4n9x/CVE-2022-24990Exploit https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/Exploit http://packetstormsecurity.com/files/172904/TerraMaster-TOS-4.2.29-Remote-Code-Execution.htmlExploit https://github.com/0xf4n9x/CVE-2022-24990Exploit https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/Exploit

Required Action

https://forum.terra-master.com/en/viewtopic.php?t=3030; https://nvd.nist.gov/vuln/detail/CVE-2022-24990

Risk Assessment

CRITICAL

In CISA KEV

Known exploit

High EPSS

Ransomware

Details

Severity: High
CVSS: 7.5
EPSS: 94.4%
CWE: CWE-306
Exploit: POC
CISA KEV: Yes
Ransomware: Known
Articles: 0

Timeline

Published

Feb 10, 2023

Added to KEV

Feb 10, 2023

Remediation Due

Mar 3, 2023

Affected Product

TerraMaster

TerraMaster OS

View all TerraMaster CVEs

External Links

NVD (NIST)CVE Details MITRE CVE