GCVE - cpe:2.3:o:terra-master:terramaster_operating

Approved changes feed: RSS · Atom

cpe:2.3:o:terra-master:terramaster_operating_system:*:*:*:*:*:*:*:*

part: o version: * update: *

Vendor	Terra Master (`d89fe82a-9386-553b-9a83-7412a03e5915`)
Product	Terramaster Operating System (`13817686-03da-511b-b151-f45a7c059690`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2022-24990`	vulnerable	2026-06-03 14:46:36.808616	Details available TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response. Published: 2023-02-07T00:00:00.000Z Updated: 2025-10-21T23:15:27.378Z Open on db.gcve.eu Reference links https://forum.terra-master.com/en/viewforum.php?f=28 https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33732 https://github.com/0xf4n9x/CVE-2022-24990 https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/ http://packetstormsecurity.com/files/172904/TerraMaster-TOS-4.2.29-Remote-Code-Execution.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-24989`	vulnerable	2026-06-03 14:46:36.787134	Details available TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used. Published: 2023-08-20T00:00:00.000Z Updated: 2024-10-08T14:30:47.504Z Open on db.gcve.eu Reference links https://forum.terra-master.com/en/viewforum.php?f=28 https://github.com/0xf4n9x/CVE-2022-24990 https://packetstormsecurity.com/files/172904 https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990 https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-35665`	vulnerable	2026-06-03 14:42:32.151924	Details available An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation. Published: 2020-12-23T00:00:00.000Z Updated: 2024-08-04T17:09:14.835Z Open on db.gcve.eu Reference links https://www.pentest.com.tr/exploits/TerraMaster-TOS-4-2-06-Unauthenticated-Remote-Code-Execution.html https://www.exploit-db.com/exploits/49330 http://packetstormsecurity.com/files/172880/TerraMaster-TOS-4.2.06-Remote-Code-Execution.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2017-9328`	vulnerable	2026-06-03 14:37:41.429883	Details available Shell metacharacter injection vulnerability in /usr/www/include/ajax/GetTest.php in TerraMaster TOS before 3.0.34 leads to remote code execution as root. Published: 2017-09-15T20:00:00.000Z Updated: 2024-08-05T17:02:44.168Z Open on db.gcve.eu Reference links https://gist.github.com/hybriz/63bbe2d963e531357aca353c74dd1ad5	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.

Terramaster Operating System

PURL mappings

Vulnerability references

Contribute