Cybersecurity firm Octagon Networks has detected critical security vulnerabilities on TerraMaster network-attached storage (TNAS) devices that can be exploited to remotely execute code with high privileges (RCE) on target systems.

The vulnerabilities are contained in TerraMaster’s operating system, TOS, which allows storage management, application installation, and data backup. Unauthenticated threat actors who exploit vulnerabilities can only access vulnerable devices via IP addresses.

The details of these security vulnerabilities are as follows:

• The vulnerability tracked by code CVE-2022-24990 is existed due to an information leak in a component named ” WebNasIPS”. As a result, a remote threat actor can access the device firmware version, IP, MAC address, and admin password hash through vulnerability.
• The security vulnerability tracked by code CVE-2022-24989 is existed due to a command injection error in a PHP module named ” CreateRaid.” by combining two vulnerabilities, threat actors can send a tailored command to execute remote code.

An increase is observed in Ransomware attacks carried out through existing security vulnerabilities on NAS devices. In this context, it is recommended that users using vulnerable TOS versions upgrade their systems to the latest version, 4.2.30, to avoid possible attack risks.