CVE-2022-24990

What is TerraMaster OS?

TerraMaster OS (TOS) is the Linux-based operating system running on TerraMaster Network Attached Storage (NAS) devices — consumer and small business NAS appliances used for file storage, backup, and media streaming. TOS provides a web-based administration interface and a REST API (/module/api.php) for programmatic device management. NAS devices like those running TOS are attractive ransomware targets: they are always-on, often internet-accessible, store backups and critical user data, and frequently run outdated firmware because home and small business users rarely apply firmware updates. Encrypting a NAS effectively ransoms all data stored on the device as well as any backups the NAS holds — making NAS ransomware a high-impact attack for victims who have not maintained offline copies.

Overview

CVE-2022-24990 is a missing authentication vulnerability (CWE-306) in TerraMaster OS that allows an unauthenticated remote attacker to execute arbitrary commands on the device through an exposed API endpoint. The vulnerability was exploited by the DeadBolt ransomware group in March 2022 to encrypt TerraMaster NAS devices and demand Bitcoin ransoms — part of DeadBolt's multi-platform NAS campaign that also targeted QNAP and Asustor devices. TerraMaster patched it in TOS 4.2.30; CVE formal publication was delayed nearly 11 months to February 2023, at which point CISA added it to the KEV catalog 3 days later.

Note: The NVD CVSS score of 7.5 with C:H/I:N/A:N appears to undercount the integrity and availability impact — successful exploitation enables full command execution, allowing ransomware to encrypt all NAS data.

Affected Versions

Technical Details

The missing authentication (CWE-306) exists in the TerraMaster OS API endpoint at /module/api.php. This endpoint accepts a type parameter that specifies which API module function to invoke. In vulnerable versions, certain API functions accessible through this endpoint do not require authentication — they can be called without a valid session token or credentials. An attacker can:

1. Send an unauthenticated HTTP request to /module/api.php with a type parameter value targeting a vulnerable function
2. Trigger OS command execution — the API function passes attacker-controlled parameters to a system call or shell command without authentication checks or adequate input sanitization
3. Execute arbitrary OS commands — as the web server process (typically root or an elevated account on embedded NAS devices), enabling full device compromise

With root-level command execution on the NAS, DeadBolt ransomware:

• Encrypts all files on attached storage volumes, appending .deadbolt extensions
• Replaces the NAS login page with a ransom demand instructing the owner to pay Bitcoin for a decryption key
• May delete volume snapshots and backup copies stored on the same device to maximize leverage

Discovery

CVE-2022-24990 was identified in connection with the March 2022 DeadBolt ransomware campaign, in which TerraMaster NAS devices were mass-encrypted. The vulnerability was implicitly disclosed when TerraMaster released the TOS 4.2.30 emergency patch in March 2022. Formal CVE assignment and NVD publication followed approximately 11 months later.

Exploitation Context

DeadBolt ransomware targeted NAS devices from multiple vendors in 2022, including QNAP (multiple CVEs), Asustor, and TerraMaster, exploiting known vulnerabilities for automated mass ransomware deployment:

• NAS devices run 24/7 and are frequently exposed to the internet for remote access (file sync, media streaming)
• TerraMaster devices running TOS are predominantly deployed in home and small business environments with minimal security monitoring
• Victims without offline backups face complete data loss if they cannot pay the ransom or obtain a decryption key
• DeadBolt's ransom demands were typically modest ($1,000–$5,000 USD in Bitcoin) per device, optimized for high-volume automated collection rather than targeted negotiation

The rapid KEV addition (3 days after NVD publication in February 2023) reflects that CISA had been tracking the DeadBolt exploitation activity against NAS vendors throughout 2022 and was prepared to add CVE-2022-24990 as soon as formal publication occurred.

Remediation

1. Upgrade TOS to version 4.2.30 or later — apply via the TerraMaster OS admin panel under System Update; this closes the unauthenticated API endpoint.
2. Disable internet-facing NAS access — remove direct internet exposure of the TerraMaster web interface; use a VPN for remote access rather than port-forwarding the NAS admin port.
3. Maintain offline backups — keep at least one backup copy disconnected from the NAS (external drive, cloud service, separate network location) to recover without paying ransom if the NAS is compromised.
4. Enable firewall rules on your router — block external access to the NAS management port (typically TCP 8181 or 5443); limit access to trusted LAN IP addresses.
5. Check for signs of DeadBolt infection — examine files for .deadbolt extension and look for a modified login page; TerraMaster and QNAP both published recovery guidance for affected devices.