CVE-2022-24990 in NAS
Summary
by MITRE • 02/07/2023
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/21/2025
This vulnerability resides in TerraMaster Network Attached Storage devices running firmware versions 4.2.29 and earlier, where a remote attacker can extract administrative credentials through a specific API endpoint manipulation. The flaw manifests when an attacker sends a crafted User-Agent header containing "TNAS" to the module/api.php?mobile/webNasIPS endpoint, which then returns a response containing the PWD field that reveals the administrative password. This represents a critical security oversight in the device's authentication and authorization mechanisms, fundamentally undermining the security posture of the NAS infrastructure.
The technical implementation of this vulnerability stems from inadequate input validation and improper access control within the web application's API handling logic. The system fails to properly authenticate or authorize requests based on the User-Agent header, allowing any remote attacker to bypass normal authentication procedures. This weakness directly maps to CWE-287, which addresses improper authentication issues in software systems, and specifically demonstrates how insufficient validation of user input can lead to unauthorized information disclosure. The vulnerability exists because the application does not implement proper session management or request verification mechanisms before returning sensitive credential information.
The operational impact of this vulnerability is severe and far-reaching for organizations utilizing affected TerraMaster NAS devices. Once exploited, attackers gain immediate administrative access to the storage system, enabling them to manipulate files, modify user permissions, access sensitive data, and potentially use the compromised device as a foothold for further network infiltration. The vulnerability can be exploited remotely without requiring any prior authentication, making it particularly dangerous in environments where NAS devices are exposed to external networks. This flaw aligns with ATT&CK technique T1078.004, which covers legitimate credentials obtained through exploitation of remote services, and represents a critical vector for lateral movement and persistent access within compromised networks.
Organizations should immediately implement mitigations including firmware updates to versions 4.2.30 or later where this vulnerability has been addressed, network segmentation to isolate NAS devices from external access, and implementation of network monitoring to detect suspicious User-Agent patterns targeting the affected API endpoint. Additional protective measures include disabling unnecessary web services, implementing strong access controls, and conducting comprehensive security assessments of all NAS devices within the network infrastructure. The vulnerability underscores the importance of proper input validation, authentication mechanisms, and regular security updates in maintaining the integrity of network storage systems.