A User-Agent string is not authentication, but TerraMaster's NAS treated it like one
To pull the admin password off a TerraMaster NAS, you sent a request with the header User-Agent: TNAS. The API recognized its own app's identifier and handed over the credentials. Chained to a second bug, that's unauthenticated root.
The way you stole the administrator password from a TerraMaster NAS running a vulnerable version was to ask for it with the right header. Send an HTTP request to the module/api.php?mobile/webNasIPS endpoint with User-Agent: TNAS, and the server, recognizing the User-Agent its own mobile app uses, skipped authentication and returned device information including the admin password in a PWD field. That’s CVE-2022-24990. A client-supplied string, trivially spoofable by anyone, was standing in for authentication.
It’s the same category of mistake as the trusted-header bypass in F5 BIG-IP: the server trusted something the client controls as proof of who the client is. The TerraMaster version is just blunter, because the thing it trusted was a User-Agent.
What the bug is
CVE-2022-24990 is a missing-authentication / information-disclosure flaw (CWE-306) in TerraMaster TOS, the operating system on TerraMaster NAS devices, versions 4.2.29 and earlier. Octagon Networks documented it: the webNasIPS API endpoint failed to authenticate requests carrying the User-Agent: TNAS header and returned sensitive data, including the administrative password and MAC address.
On its own that’s a serious leak. Chained, it’s full compromise. The companion bug, CVE-2022-24989, is a remote code execution flaw in the api.php?mobile/createRaid endpoint, where the raidtype and diskstring parameters reach a command execution path and run as root. So an attacker leaks the admin credentials with the magic User-Agent, then uses the second endpoint to execute code as root, all unauthenticated, all reachable from the WAN. TerraMaster fixed both in TOS 4.2.31, a Metasploit module automates the chain, and CISA added CVE-2022-24990 to the Known Exploited Vulnerabilities catalog on February 10, 2023, with the ransomware flag.
The lesson: client-controlled values are not identity
The User-Agent: TNAS check is a specific instance of a general anti-pattern that shows up constantly in device and “mobile API” code: treating a value the client sends as evidence of who or what the client is. A User-Agent, a custom header, a hidden form field, a hardcoded token in the app, all of these are visible to and forgeable by anyone who looks at the traffic. They are useful for routing and feature flags. They are worthless as authentication, because the attacker can set them to anything.
The pattern tends to creep in through “mobile API” shortcuts. A developer builds an endpoint for the device’s own companion app, assumes only the app will call it, identifies the app by its User-Agent, and skips the real auth check because “only our app hits this.” But endpoints don’t know who’s calling; they only know what bytes arrived, and an attacker sends whatever bytes they like. The robust rule is simple and absolute: authenticate every endpoint with real credentials or tokens that the server validates, and never gate access on a client-supplied identifier. If an endpoint returns sensitive data, it needs authentication, full stop, regardless of which app it was “meant” for.
What to do
- Patch TerraMaster TOS to 4.2.31 or later. This closes both halves of the chain. Given an unauthenticated, root-level, WAN-reachable RCE with public exploit tooling, treat it as urgent on any device still behind.
- Never expose a NAS management interface to the internet. Like the Zyxel and Samba cases, the realistic attack path runs through internet-facing devices. A NAS admin UI on the open internet is a standing invitation; put it behind VPN or strict IP allowlisting.
- Assume compromise on long-exposed, unpatched devices. Public exploits date to 2022. Check for unexpected processes, web shells, and unfamiliar accounts, and rotate the admin credentials (which this bug leaked outright).
- For developers: audit every endpoint that skips auth. Any “internal” or “mobile-only” endpoint that relies on a client-supplied header or identifier instead of real authentication is a finding. Search your codebase for auth checks keyed on User-Agent, custom headers, or hardcoded app tokens, and replace them with validated credentials.
The reframe is short. Authentication is something the server verifies, not something the client asserts, and the moment a system trusts a client-controlled value as identity, anyone who can read a request can forge it. TerraMaster’s NAS handed its admin password to a User-Agent string; the fix is the same everywhere this pattern appears, which is to authenticate the request, not the request’s claims about itself. We flag the NAS and device-API entries because they’re full of these mobile-API shortcuts, and they sit on the internet where everyone can send any header they please.
Sources
- CISA Known Exploited Vulnerabilities Catalog
- NVD CVE-2022-24990 — 2022-03
- Octagon Networks: CVE-2022-24990 TerraMaster TOS unauthenticated RCE — 2022-03-07
- The Hacker News: Critical bugs in TerraMaster TOS could open NAS devices to remote hacking — 2022-03
- Rapid7: TerraMaster unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989 — 2022
Share
Related field notes
-
The 'test connection' button that mails your stored credentials to an attacker
CVE-2018-13374 lets an attacker recover the LDAP bind credentials stored in a FortiGate by pointing its LDAP connectivity test at a rogue server. It's a small bug with a broad lesson: 'test connection' features that transmit stored secrets are a credential-disclosure pattern.
-
DeadBolt skipped the network intrusion and just encrypted the NAS directly
Most ransomware has to break in, escalate, and spread before it encrypts anything. DeadBolt found internet-exposed QNAP NAS devices, exploited a Photo Station bug, and encrypted the files in place. On a NAS, the device is the data, and that changes the whole attack.
-
2017's other wormable file-share RCE, the one nobody remembers, is still on your NAS
Everyone remembers EternalBlue tearing through Windows SMB in 2017. The same year, Samba shipped a fix for SambaCry: upload a library to a writable share, trigger it, get root. It lives on in the NAS and IoT boxes that embed Samba and never update.
One email, every weekday morning.
You're in. Check your inbox.