CVE-2023-24990: 
Siemens Tecnomatix Plant Simulation vulnerability analysis and mitigation

TerraMaster NAS running TerraMaster Operating System (TOS) version 4.2.29 and earlier contains an authentication bypass vulnerability that allows remote attackers to discover the administrative password by sending a specially crafted request with "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and reading the PWD field in the response (AttackerKB).

The vulnerability exists in the api.php endpoint that handles mobile requests. By sending a request to module/api.php?mobile/webNasIPS with a specific User-Agent header set to "TNAS", an unauthenticated attacker can retrieve sensitive information including the administrator password hash and MAC address. This vulnerability can be chained with CVE-2022-24989 to achieve unauthenticated remote code execution with root privileges (AttackerKB).

The vulnerability allows attackers to obtain administrative credentials without authentication, leading to complete compromise of affected TerraMaster NAS devices. When chained with other vulnerabilities, it enables remote code execution as root (AttackerKB).

Users should update to TOS version 5.x or the latest supported TOS 4.2.x version to mitigate this vulnerability. Additionally, it is strongly recommended not to expose TerraMaster NAS devices directly to the Internet (AttackerKB).

According to a July 2024 bulletin from U.S. government agencies, North Korean state-sponsored attackers have demonstrated interest in this vulnerability, though it's not immediately clear whether it was exploited or just used in reconnaissance/target selection (AttackerKB).