Page 1 of 1

TerraMaster TOS Security Vulnerability Fix Completion Announcement (July 10, 2025)

Posted: 10 Jul 2025, 17:36
by TMeric
Dear TerraMaster Users,

As previously announced, a security vulnerability was identified in the "password-free sharing" feature of the TOS system. We are pleased to inform you that the issue has now been successfully fixed. To ensure that you can safely and smoothly use the related features, please find the detailed information and subsequent arrangements below:

I. Fix Version Information

1.TOS 6 Fix Version Released:
As planned, we have released TOS 6.0.750 on July 10, 2025. This version has successfully fixed the security vulnerability. We recommend upgrading your system to this version as soon as possible to ensure the effectiveness of the security features.
2.TOS 5 User Upgrade Compatibility:
If you are using TOS 5.x, upgrading to TOS 6.0.750 will also resolve this vulnerability. This upgrade not only addresses the security issue but also brings additional new features. We recommend upgrading promptly to ensure your system's security and full functionality.

II. User Operation Recommendations

1.Password-Free Sharing Feature Usage:
Please note that after upgrading to TOS 6.0.750, previously created password-free sharing links will no longer be valid. You can re-enable the password-free sharing feature as needed.

We appreciate your understanding, trust, and support during the resolution of this issue. If you encounter any problems during the system upgrade or usage, please feel free to contact our technical support team at [email protected]. We are here to assist you.

TerraMaster Technical Team
July 10, 2025


-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

To TerraMaster Users:
Recently, we have detected a security vulnerability in the "Password-Free Sharing" function within the TOS system, which may lead to risks of unauthorized access. To ensure the security of your data, we hereby announce relevant information and remediation measures as follows:

I. Vulnerability Overview
• Affected Function: The "Share Files without Password" feature in File Management. (As shown in the figure below.)
• Affected Versions: All TOS 5.x, and TOS 6.x systems.
• Potential Risk: Attackers may exploit this vulnerability to gain access to shared folders.

Image

II. Remediation Measures & Recommendations
1. Immediate Actions (Execute Now)
• Suspend Password-Free Sharing: Refrain from using the "Share without Password" function until a patched version is released to avoid data exposure risks.
• Review Existing Shares: Navigate to 【File Management】→【My Shares】, delete all existing password-free share links, and recreate them as password-protected share links.
2. Long-Term Fix Plan
• TOS 6 Patch Release: A fix for this vulnerability is scheduled for the official TOS 6 release in mid-July. The specific version number will be announced after validation.
• Upgrade Guidance for TOS 5 Users: Users of TOS 5.x are advised to upgrade to the latest TOS 6 version once the patched release is available to obtain security fixes and new features.

III. Commitment to User Data Security
TerraMaster prioritizes user data security as our foremost mission. During the resolution of this vulnerability, we will continue enhancing security mechanisms and strengthening system protections. We sincerely appreciate your trust and support, and apologize for any inconvenience caused.
For technical support, please contact: [email protected].

TerraMaster Technical Team
June 30, 2025

Re: TerraMaster TOS Security Vulnerability Fix Completion Announcement (July 10, 2025)

Posted: 10 Jul 2025, 19:50
by crisisacting
So, based on the way the update is written, what's the course of action for 220/420 series TNAS devices whom are unable to upgrade to TOS 6.×?

Also, when will the ARM 212 series receive a patch to fix this vulnerability, since the latter presumably impacts TOS 5.×/6.×, regardless of architecture?

Re: TerraMaster TOS Security Vulnerability Fix Completion Announcement (July 10, 2025)

Posted: 10 Jul 2025, 21:46
by OrionXie
crisisacting wrote: 10 Jul 2025, 19:50
Thank you for your continuous support of the 220/420 series. To provide you with more stable and efficient service, we have concentrated our technical resources on the iteration of next-generation products. Currently, the 220/420 series will enter the 'operation assurance phase'—that is, ensuring existing functions work normally but no new features or systematic updates will be released. If you encounter any issues while using it, our customer service team will still provide basic support; we also recommend you pay attention to the next-generation series (such as model F4-424), which has better performance and compatibility upgrades to meet your needs. If you need to migrate data or switch products, we will offer guidance and technical support to ensure a smooth transition.

Regarding the usage experience of the ARM 212 series, we have been continuously following up on everyone's feedback. The new version is currently in the final testing stage and is scheduled to be officially released around the end of this month, further enhancing stability. Please keep an eye on the latest update information on the forum. Thank you for your understanding and support.

Re: TerraMaster TOS Security Vulnerability Fix Completion Announcement (July 10, 2025)

Posted: 11 Jul 2025, 02:17
by spleenrun
Hello,

I recently updated my TerraMaster F6-424Max to TOS version 6.0.750. Since the update, I can no longer access the NAS.

The device is powered on, and the hard drives have been active (spinning and making noise) for over an hour, but I cannot access the system through the web interface, file explorer, or TNAS PC application.

I've tried restarting the NAS, but the issue persists. Everything was working fine before the update.

Could you please assist me with this issue?
Thank you in advance for your support.

Best regards,

Re: TerraMaster TOS Security Vulnerability Fix Completion Announcement (July 10, 2025)

Posted: 11 Jul 2025, 05:13
by MikeZhang
spleenrun wrote: 11 Jul 2025, 02:17
Please follow our guide to reset system viewtopic.php?t=7178

Re: TerraMaster TOS Security Vulnerability Fix Completion Announcement (July 10, 2025)

Posted: 11 Jul 2025, 09:15
by spleenrun
MikeZhang wrote: 11 Jul 2025, 05:13
spleenrun wrote: 11 Jul 2025, 02:17
Please follow our guide to reset system viewtopic.php?t=7178
Thank you for your reply.

If I follow the system reset guide, will I lose any data stored on the NAS?
I want to make sure my files are safe before proceeding.

Best regards,

Re: TerraMaster TOS Security Vulnerability Fix Completion Announcement (July 10, 2025)

Posted: 12 Jul 2025, 02:23
by MikeZhang
spleenrun wrote: 11 Jul 2025, 09:15
Your data is safe, but system configuration will be wiped

Re: TerraMaster TOS Security Vulnerability Fix Completion Announcement (July 10, 2025)

Posted: 12 Jul 2025, 03:01
by spleenrun
MikeZhang wrote: 12 Jul 2025, 02:23
spleenrun wrote: 11 Jul 2025, 09:15
Your data is safe, but system configuration will be wiped
What should I do if my TOS is not installed on an M.2 SSD?

My system is installed on the default drives (HDDs), not on an SSD.

Re: TerraMaster TOS Security Vulnerability Fix Completion Announcement (July 10, 2025)

Posted: 12 Jul 2025, 04:57
by crisisacting
OrionXie wrote: 10 Jul 2025, 21:46
… To provide you with more stable and efficient service, we have concentrated our technical resources on the iteration of next-generation products. Currently, the 220/420 series will enter the 'operation assurance phase'—that is, ensuring existing functions work normally but no new features or systematic updates will be released. …
Be that as it may, there are also 221/421 series TNAS devices which cannot upgrade beyond certain versions of TOS 5.×/6.× (due to BIOS/UEFI limitations), so if there's a ×86/×64 in-place patch (something that used to be issued by TerraMaster on previous TOS releases) that can be issued for those models on TOS 5.×, it should/would surely be compatible with the ×86/×64 220/420 series devices as well.

A security vulnerability like this should be patched for operation assurance.