module
TerraMaster TOS 4.2.06 or lower - Unauthenticated Remote Code Execution
| Disclosed |
|---|
| Dec 12, 2020 |
Disclosed
Dec 12, 2020
Description
This module exploits an unauthenticated remote code-execution vulnerability in TerraMaster TOS 4.2.06
and lower via shell metacharacters in the Event parameter at vulnerable endpoint `include/makecvs.php`
during CSV creation.
Any unauthenticated user can therefore execute commands on the system under the same privileges as the
web application, which typically runs under root at the TerraMaster Operating System.
and lower via shell metacharacters in the Event parameter at vulnerable endpoint `include/makecvs.php`
during CSV creation.
Any unauthenticated user can therefore execute commands on the system under the same privileges as the
web application, which typically runs under root at the TerraMaster Operating System.
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.